Argh, Sorry for continually replying to myself but I've just realizes something.
The reason that LsaEnumerateAccountRights() returned record not found is that it returns explicit rights (where the account is directly listed in the privilege) not implicit ones (where for example the account is in a group). Is there some way to test to see if a user has a given privilege? Thanks, -Mont On 1/8/07, Mont Rothstein <[EMAIL PROTECTED]> wrote:
I got this working. I used LsaEnumerateAccountsWithUserRight() which returned the SIDs for the objects with the SeInteractiveLogonRight privilege. From there I can compare against my list of all users and weed out those I don't want. One other point of confusion is that I saw __vmware__ in my list of objects with SeInteractiveLogonRight but that users doesn't show in the Welcome screen and isn't in the registry as a special account. It turned out that there is both a __vmware__ user and __vmware__ group, and it is the group has interactive logon rights! I may still use KBC.WIndowsSecurityUtilities if I can get ahold of it. -Mont On 1/8/07, Mont Rothstein < [EMAIL PROTECTED]> wrote: > > I made some progress but then I got stuck. > > I used the LSA Functions project from CodeProject as a starting point > and added the ability to call LsaEnumerateAccountRights. > > This successfully returns any rights that I have added via > LsaAddAccountRights. However, that is all that it shows. Any accounts that > I have not added privileges via LsaAddAccountRights return "record not > found". > > That would be fine if I needed to add and verify rights but I need to > determine what already has interactive login rights. > > Any ideas what I might have done wrong? > > I can post the code but all I did was to take the policyHandle as > returned by LsaOpenPolicy and pass it along with the sid to > LsaEnumerateAccountRights. > > Thanks, > -Mont > > > On 1/5/07, Mont Rothstein < [EMAIL PROTECTED]> wrote: > > > > Thanks! That was the needle I was looking for. > > > > -Mont > > > > > > On 1/5/07, Peter Ritchie <[EMAIL PROTECTED]> > > wrote: > > > > > > The quick answer is you have to Pinvoke LsaEnumerateAccountRights to > > > find > > > out what rights a particular account has the > > > "SeDenyInteractiveLogonRight"- > > > -which means that account can't login locally. > > > > > > Of course, it's much easier said then done... > > > > > > There was a recent thread on this list discussing the ability to > > > test/set > > > the logon-as-service right (same logic, looking > > > for "SeServiceLogonRight"). That thread seemed to delegate to > > > http://www.codeproject.com/csharp/lsadotnet.asp ; but, I don't think > > > that > > > actually "tests" whether an account has a particular right or not. > > > > > > On Fri, 5 Jan 2007 10:16:00 -0800, Mont Rothstein > > > < [EMAIL PROTECTED] > wrote: > > > > > > >Yes, that is what I mean. > > > > > > > >Is there a way to determine which acounts do or don't have local > > > login > > > >rights? > > > > > > =================================== > > > This list is hosted by DevelopMentor(r) http://www.develop.com > > > > > > View archives and manage your subscription(s) at > > > http://discuss.develop.com > > > > > > > >
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
