Re: Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!?

From: David Dickinson [MVP] (eis@no-spam.softhome.net)
Date: 06/19/02 

From: "David Dickinson [MVP]" <eis@no-spam.softhome.net>
Date: Tue, 18 Jun 2002 19:18:49 -0600

Colin Reinhardt wrote:
> (on Win2000 Server SP1)
> I'm making a call to LogonUser and it fails with error 1314 "A
> required privilege is not held by the client"...
> this is where the fun begins...
>
> From some research, it seems the process token making the call to
> LogonUser needs to have the right:
> "Act as part of the operating system" aka SeTcbPrivilege aka
> SE_TCB_NAME...
>
> So, I go into Administrative Tools\Local Security Policy\Local
> Policies\User Rights Assignment
> and here I select the "Act as part of the operating system" policy
> and I add my local user account: TestUser, who is a member of the
> local administrators account.

I don't understand: By what means are you "making a call to LogonUser"?
For what reason? How? Why? There may be a better way to do what you want
than by making a human being's user account capable as acting as part of the
operating system. For instance, if you are implementing a new service, it
might work to have it logon as Local System.

> When I apply this policy setting, in the right window pane of the
> Local Security Settings tool I see three columns listed:
> Policy, Local Setting, Effective Setting
> and for these columns I see
> "Act as part of the operating system", TestServer\TestUser,
>
> in other words, the Effective Setting is none. Why is this??

After you have applied a policy, it takes a while for it to become effective
under normal circumstances. However, if you close the mmc snap-in and open
it right away again, you should see the entry under the "Effective Setting"
column show the correct value.

However, is this server subject to a Domain Controller or Domain policy? If
so then changing the Local Policy may have no effect.

> Now when I log in as TestUser and check the effective token
> privileges with GetTokenInformation( )
> I see that my process token still does not have the desired privilege
> (SeTcbPrivilege)!!!

This indicates that allowing the user to act as part of the operating system
is not the correct method.

> How can assign this privilege correctly so I can call LogonUser to
> impersonate on a thread???
> thank you much,

Can you provide more information about what you are trying to do? 

--
David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp