Re: Manage User Privileges Programmatically

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/24/05 

Date: Mon, 24 Oct 2005 07:32:09 -0700

Hi David,
Yes, the default behavior of IIS 6 (and for that matter ComAdmin
under default account naming, IIRC) is a pain - well, at least it forces
me to not have the control from policy over the login rights in the way
that I would like for a production server (at least where the app pools
defined and their principals changes). I believe the IIS team is aware
of the requirement although for a different reason (admins failing to
define new app pool accounts fully correctly).
Cheers,
Roger
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uqwfnmI2FHA.1252@TK2MSFTNGP09.phx.gbl...
> Hmm, this is an interesting thought.
>
> IIS6 sets up its service accounts in a similar manner and is included in a
> group which grants the necessary privileges (no, the name of the group is
> not configurable), but I still frequently see "IIS issues" resolve down to
> some enterprise-wide group policy-based lockdown of user privileges that
> kill IIS in some insidious manner.
>
> I'm just looking for a reasonable way for IIS to offer usage of service
> accounts that still survive group policy lockdown...
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:O5HvMVz1FHA.164@TK2MSFTNGP10.phx.gbl...
> I am not pointing you at a .h here, but rather commenting on what
> you seem to be trying to do, which is fool with the user rights.
> As a dev I understand the need to make sure that an account has
> the needed rights. As an admin I have disgust at installers that fool
> with the user rights settings, which generally I have locked down by
> use of group policy. On one of my machines your installer would
> result in a non-working install as soon as group policy applied from
> the AD level. Worse, as your installed thought all was good, I have
> no indication that the service account was granted the right, which
> later disappears.
> Solution: document in the install docs that your installed expects a
> group named "x" that is granted the user right to log on as a service,
> and give the admin a way to specify "x" if they do not like your
> default. Your installer just makes sure the account is in the group.
> Everyone is happy. It works with group policy latch down, your
> install works and keeps working, and admins do not feel your install
> is being sneeky tweaking critical settings behind the scenes.
> <ciuly0@gmail.com> wrote in message
> news:1129899960.165326.100260@f14g2000cwb.googlegroups.com...
>> Hi all,
>>
>> I am trying to translate the code from the following article into
>> delphi. I mostly succedded but I cannot seem to find the definition of
>> 3 constants. I looked in the latest platform sdk and they are simply
>> not there.
>>
>> the article in question:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;132958
>>
>> the constants:
>> ACCOUNT_ADJUST_SYSTEM_ACCESS
>> ACCOUNT_VIEW
>> ACCOUNT_ADJUST_PRIVILEGES
>>
>> I did found a file NTSecApi.h but it deosn't contain those definitions.
>> I think that since the article relates to win nt and 2000 maybe those
>> definitions are present in the nt or 2000 platform sdk. I couldn't get
>> a copy of any of the 2 and that is why I am asking for your help.
>>
>> I also looked into the reactOS and wine sources, but with no luck.
>>
>> If the above is not possible, then I would like another way of
>> programatically manage a users privilege.
>> What I am trying to do is programatically grant the "Logon as a
>> service" right to a newly created user. I need something that will work
>> at least on winxp, and it will be better if it will run on all windows
>> nt platforms.
>>
>> Thanks in advance for your help.
>>
>
>
>

Relevant Pages

  • Re: Problem with management point
    ... The IIS IWAM account has expired, been disabled, or has ... Use the output to verify that the account is enabled, ... >> During install of primary site i forgot to add agent for remote. ...
    (microsoft.public.sms.admin)
  • Re: Manage User Privileges Programmatically
    ... group which grants the necessary privileges (no, the name of the group is ... accounts that still survive group policy lockdown... ... As a dev I understand the need to make sure that an account has ... result in a non-working install as soon as group policy applied from ...
    (microsoft.public.win2000.security)
  • Re: User in two groups Admin and Power User
    ... it looks like the Group Policy doesn't allow the local ... Power Users / Administrators to install that particular software. ... | In this case, the user account was a domain account, and I believe my ... |> on to the local machine, as a local administrator can install ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Manage User Privileges Programmatically
    ... I colored the other response for IIS 5 behaviors as ... > you seem to be trying to do, which is fool with the user rights. ... > As a dev I understand the need to make sure that an account has ... > result in a non-working install as soon as group policy applied from ...
    (microsoft.public.win2000.security)
  • Re: Deny install software by Helpdeskadmin@server.local
    ... It sounds like they are using that account to push out the software. ... I do not need to install any software such as by using a GPO. ... logging on, installing, using the servers. ... I want to have Group Policy see that the user helpdeskadministrator ...
    (microsoft.public.windows.server.active_directory)