I got this working. I used LsaEnumerateAccountsWithUserRight() which returned the SIDs for the objects with the SeInteractiveLogonRight privilege.
From there I can compare against my list of all users and weed out those I
don't want. One other point of confusion is that I saw __vmware__ in my list of objects with SeInteractiveLogonRight but that users doesn't show in the Welcome screen and isn't in the registry as a special account. It turned out that there is both a __vmware__ user and __vmware__ group, and it is the group has interactive logon rights! I may still use KBC.WIndowsSecurityUtilities if I can get ahold of it. -Mont On 1/8/07, Mont Rothstein <[EMAIL PROTECTED]> wrote:
I made some progress but then I got stuck. I used the LSA Functions project from CodeProject as a starting point and added the ability to call LsaEnumerateAccountRights. This successfully returns any rights that I have added via LsaAddAccountRights. However, that is all that it shows. Any accounts that I have not added privileges via LsaAddAccountRights return "record not found". That would be fine if I needed to add and verify rights but I need to determine what already has interactive login rights. Any ideas what I might have done wrong? I can post the code but all I did was to take the policyHandle as returned by LsaOpenPolicy and pass it along with the sid to LsaEnumerateAccountRights. Thanks, -Mont On 1/5/07, Mont Rothstein <[EMAIL PROTECTED]> wrote: > > Thanks! That was the needle I was looking for. > > -Mont > > > On 1/5/07, Peter Ritchie <[EMAIL PROTECTED]> > wrote: > > > > The quick answer is you have to Pinvoke LsaEnumerateAccountRights to > > find > > out what rights a particular account has the > > "SeDenyInteractiveLogonRight"- > > -which means that account can't login locally. > > > > Of course, it's much easier said then done... > > > > There was a recent thread on this list discussing the ability to > > test/set > > the logon-as-service right (same logic, looking > > for "SeServiceLogonRight"). That thread seemed to delegate to > > http://www.codeproject.com/csharp/lsadotnet.asp ; but, I don't think > > that > > actually "tests" whether an account has a particular right or not. > > > > On Fri, 5 Jan 2007 10:16:00 -0800, Mont Rothstein > > < [EMAIL PROTECTED] > wrote: > > > > >Yes, that is what I mean. > > > > > >Is there a way to determine which acounts do or don't have local > > login > > >rights? > > > > =================================== > > This list is hosted by DevelopMentor(r) http://www.develop.com > > > > View archives and manage your subscription(s) at > > http://discuss.develop.com > > > >
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
