Re: Manage User Privileges Programmatically

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/24/05 

Date: Mon, 24 Oct 2005 03:51:25 -0700

Hmm, this is an interesting thought.

IIS6 sets up its service accounts in a similar manner and is included in a
group which grants the necessary privileges (no, the name of the group is
not configurable), but I still frequently see "IIS issues" resolve down to
some enterprise-wide group policy-based lockdown of user privileges that
kill IIS in some insidious manner.

I'm just looking for a reasonable way for IIS to offer usage of service
accounts that still survive group policy lockdown... 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:O5HvMVz1FHA.164@TK2MSFTNGP10.phx.gbl...
I am not pointing you at a .h here, but rather commenting on what
you seem to be trying to do, which is fool with the user rights.
As a dev I understand the need to make sure that an account has
the needed rights.  As an admin I have disgust at installers that fool
with the user rights settings, which generally I have locked down by
use of group policy.  On one of my machines your installer would
result in a non-working install as soon as group policy applied from
the AD level.  Worse, as your installed thought all was good, I have
no indication that the service account was granted the right, which
later disappears.
Solution:  document in the install docs that your installed expects a
group named "x" that is granted the user right to log on as a service,
and give the admin a way to specify "x" if they do not like your
default.  Your installer just makes sure the account is in the group.
Everyone is happy.  It works with group policy latch down, your
install works and keeps working, and admins do not feel your install
is being sneeky tweaking critical settings behind the scenes.
<ciuly0@gmail.com> wrote in message
news:1129899960.165326.100260@f14g2000cwb.googlegroups.com...
> Hi all,
>
> I am trying to translate the code from the following article into
> delphi. I mostly succedded but I cannot seem to find the definition of
> 3 constants. I looked in the latest platform sdk and they are simply
> not there.
>
> the article in question:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;132958
>
> the constants:
> ACCOUNT_ADJUST_SYSTEM_ACCESS
> ACCOUNT_VIEW
> ACCOUNT_ADJUST_PRIVILEGES
>
> I did found a file NTSecApi.h but it deosn't contain those definitions.
> I think that since the article relates to win nt and 2000 maybe those
> definitions are present in the nt or 2000 platform sdk. I couldn't get
> a copy of any of the 2 and that is why I am asking for your help.
>
> I also looked into the reactOS and wine sources, but with no luck.
>
> If the above is not possible, then I would like another way of
> programatically manage a users privilege.
> What I am trying to do is programatically grant the "Logon as a
> service" right to a newly created user. I need something that will work
> at least on winxp, and it will be better if it will run on all windows
> nt platforms.
>
> Thanks in advance for your help.
>

Relevant Pages

  • Re: User in two groups Admin and Power User
    ... it looks like the Group Policy doesn't allow the local ... Power Users / Administrators to install that particular software. ... | In this case, the user account was a domain account, and I believe my ... |> on to the local machine, as a local administrator can install ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Manage User Privileges Programmatically
    ... the default behavior of IIS 6 (and for that matter ComAdmin ... under default account naming, IIRC) is a pain - well, at least it forces ... > accounts that still survive group policy lockdown... ... > result in a non-working install as soon as group policy applied from ...
    (microsoft.public.win2000.security)
  • Re: Windows 2003 Service
    ... I install the Windows Service on a Win 2000 ... I set the same user on the Win 2003 Server and the service doesn't ... Your best bet is to create an special account for your ... - Not all problems are related to privileges, ...
    (microsoft.public.dotnet.general)
  • Re: Stuck booting into Safe Mode CLI
    ... you can change the privledges even on an Admin account, ... drive and install fresh. ... folders and altered privileges that prevents me or the antiMalWare ... always boots into the safe mode command line. ...
    (microsoft.public.windowsxp.general)
  • Re: Deny install software by Helpdeskadmin@server.local
    ... It sounds like they are using that account to push out the software. ... I do not need to install any software such as by using a GPO. ... logging on, installing, using the servers. ... I want to have Group Policy see that the user helpdeskadministrator ...
    (microsoft.public.windows.server.active_directory)