Re: Different credentials for remote registry/SCM access

From: "Skywing [MVP]" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Oct 2006 13:57:06 -0400

Yes. Use LogonUser(..LOGON32_LOGON_NEW_CREDENTIALS..). This hands back a
token that has the same local identity but uses different default
credentials for network access.

This is the same trick that starting a program with `runas /netonly' will
do. If you just need for example a command prompt that you can start
RegEdit from, that will use different credentials for remote access, then
you should be able to use runas.exe without having to write any code.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

"SteveS" <SteveSpencer@xxxxxxxxxxxxxxxxx> wrote in message
news:892DE149-1FD6-406D-8820-E7A9AC2C42C7@xxxxxxxxxxxxxxxx

Most of our users, not surprisingly, do not log on as users with Domain or
Local Administrator privileges. Occasionally, we have a need to stop and
restart a service remotely, or to reconfigure something like a DCOM
setting,
such as a remote machine name.

If the current user were logged in as either the remote machine
Administrator or a domain admit, there's no issue. We use custom written
EXEs
to do this, since it restricts the damage that can be done with REGEDIT or
SC
:)

Given that a user knows the name and password of a sufficiently privileged
account, is there a way to programmatically say 'use these credentials'
when
using RegConnectRegistry or OpenSCManager?

If possible, we don't want to use RUNAS to start the apps.
--
Steve S

Prev by Date: CryptAcquireContext not working
Next by Date: Re: LogOnUser with Smart Card Credentials
Previous by thread: RE: Different credentials for remote registry/SCM access
Next by thread: Re: NTFS and File Streams
Index(es):
- Date
- Thread

Relevant Pages

Re: How do you wintrolls...
... you have set up your user account on each computer. ... To people with that user's credentials, ... Automatically trying to log into a remote machine with the local ... username and password doesn't make a lot of sense on a home network. ...
(comp.sys.mac.advocacy)
Re: netlogon service and LogonUser() API function
... Depending on the interfaces being used to connect to the remote machine, this could mean different mechanisms for authentication. ... Depending on the security context you start from and what OS you could use CreateProcessWithLogonW to establish a set of network credentials to connect to remote machines. ... "administrator tasks" in multiple computers that are part of multiple ...
(microsoft.public.win32.programmer.kernel)
Re: NTService cant access a share (set to everyone)
... shares without providing any credentials. ... to "Network access: Shares that can be accessed anonymously " ... Give it a reboot to make sure the policy takes effect (you should be able to ...
(microsoft.public.windowsxp.security_admin)
RE: Executing a script with administrative rights in a user enviroment
... So you can fire any program you need with the "administrator" credentials. ... Check the "CreateProcess" method in WMI. ... Everything as if you were ON the remote machine. ... you can write the encrypted password in you script using lsrunase. ...
(microsoft.public.windows.server.scripting)
Re: Remoting
... of authentication to provide appropriate credentials to the remote server. ... You need software on the remote machine that the remoting client can talk to ... > the process and thread account will be the interactive or logged on user ...
(microsoft.public.dotnet.security)