I made some progress but then I got stuck. I used the LSA Functions project from CodeProject as a starting point and added the ability to call LsaEnumerateAccountRights.
This successfully returns any rights that I have added via LsaAddAccountRights. However, that is all that it shows. Any accounts that I have not added privileges via LsaAddAccountRights return "record not found". That would be fine if I needed to add and verify rights but I need to determine what already has interactive login rights. Any ideas what I might have done wrong? I can post the code but all I did was to take the policyHandle as returned by LsaOpenPolicy and pass it along with the sid to LsaEnumerateAccountRights. Thanks, -Mont On 1/5/07, Mont Rothstein <[EMAIL PROTECTED]> wrote:
Thanks! That was the needle I was looking for. -Mont On 1/5/07, Peter Ritchie <[EMAIL PROTECTED]> wrote: > > The quick answer is you have to Pinvoke LsaEnumerateAccountRights to > find > out what rights a particular account has the > "SeDenyInteractiveLogonRight"- > -which means that account can't login locally. > > Of course, it's much easier said then done... > > There was a recent thread on this list discussing the ability to > test/set > the logon-as-service right (same logic, looking > for "SeServiceLogonRight"). That thread seemed to delegate to > http://www.codeproject.com/csharp/lsadotnet.asp ; but, I don't think > that > actually "tests" whether an account has a particular right or not. > > On Fri, 5 Jan 2007 10:16:00 -0800, Mont Rothstein > <[EMAIL PROTECTED] > wrote: > > >Yes, that is what I mean. > > > >Is there a way to determine which acounts do or don't have local login > >rights? > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com >
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
