Re: "Local Security Policy", Is it stored in registry?
From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 04/28/03
- Next message: Nick Finco [MSFT]: "Re: re-applying local security policy"
- Previous message: Peter Clark: "decrypt encrypted files"
- In reply to: Peter Clark: "Re: "Local Security Policy", Is it stored in registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Apr 2003 12:24:10 -0700
Writing some code to query LSA directly would be the most elegant way to
know if the user has the privilege. This may not reflect local policy
settings though on Win2k. Most of the time they should be the same though.
To query local policy settings, using secedit to export a security template
and then parsing that template is the only way. I believe going to the
registry is the same as querying LSA directly and I know doing that is not
looking at the local policy settings.
See this page for the LSA APIs.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/managing_account_permissions.asp
N
-- This posting is provided "AS IS" with no warranties, and confers no rights. Any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Peter Clark" <clark@hushmail.com> wrote in message news:065a01c30d9b$826401f0$a401280a@phx.gbl... > there are two ways, possibly three. > > > one: > > use secedit - run this command: > > C:\>secedit /export /CFG "%systemroot%\temp\user > rights.txt" /areas USER_RIGHTS > > open "%systemroot%\temp\user rights.txt" > > Act as part of the operating system = setcbprivilege > > one up from the end: > > (nobody has the privilge) = setcbprivilege = > (administrators have prv) = setcbprivilege = *S-1-5-32-544 > > S-1-5-32-544 = administrators. multiple users are separated > by a comma. > > > two: > > use the registry - goto: > > HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-32-544\Privilgs\@ > > the security key has permissions to allow only system to > access by default, thus your program will need to be either > running at system level (service) or as administrator so > the acls can be changed to allow access. > > privilgs: of varible length from 19 bytes, it covers the > remaining options in "user rights assignment" the first > byte determines the number of privileges the user(group) > has. the first privilege is located at offset 8 and then at > c(12) intervals thereafter. the values appear to be in no > particular order. space inbetween is filled with 00, which > unless they are used for something is quite a waste of > data. the entry is filled with 00 untill the end of that c > block. > > 07 - act as part of the operating system > > if you want to know about some other settings, check here: > http://www.beginningtoseethelight.org/ntsecurity/ > i aplogize for the article because it was written a few > years ago and my understanding has increased, the page > needs an update/expansion. > > > three: > > do some searches for "setcbprivilege" as there maybe a more > elegant way of querrying (and setting) the option. > > > >-----Original Message----- > >I would like to check if administrators have the right to > "Act as Part of > >Operating System". > > > > > >"Peter Clark" <clark@hushmail.com> wrote in message > >news:030701c30caa$4ff73300$a601280a@phx.gbl... > >> local security policies are stored in the registry - they > >> are also stored in the secedit.sdb file from which they are > >> refreshed from. what polices are you interested in > >> querrying? if you want to do it programmatically you could > >> try exporting and importing the configuration with > secedit.exe > >> > >> > >> >-----Original Message----- > >> >I have an applications that needs a few "local security > >> policies" set for it > >> >to work correctly. I was hoping to be able to query the > >> settings, but it > >> >doesn't look like they are stored in the registry. Does > >> anyone know if I > >> >can programmatically query those policies? > > > > > >. > >
- Next message: Nick Finco [MSFT]: "Re: re-applying local security policy"
- Previous message: Peter Clark: "decrypt encrypted files"
- In reply to: Peter Clark: "Re: "Local Security Policy", Is it stored in registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
