Unfortunately I don't want to enable interactive login, I want to determine if it is already enabled for an account.
Thanks, -Mont On 1/8/07, Pardee, Roy <[EMAIL PROTECTED]> wrote:
Can you get a token for the user in question & try to enable the interactive login bit w/AdjustTokenPrivileges? (Just paraphrasing Keith Brown's .net dev guide to windows security here--not really sure how any of this works...) -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Mont Rothstein Sent: Monday, January 08, 2007 2:36 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Identifying special accounts Argh, Sorry for continually replying to myself but I've just realizes something. The reason that LsaEnumerateAccountRights() returned record not found is that it returns explicit rights (where the account is directly listed in the privilege) not implicit ones (where for example the account is in a group). Is there some way to test to see if a user has a given privilege? Thanks, -Mont On 1/8/07, Mont Rothstein <[EMAIL PROTECTED]> wrote: > > I got this working. I used LsaEnumerateAccountsWithUserRight() which > returned the SIDs for the objects with the SeInteractiveLogonRight > privilege. > > From there I can compare against my list of all users and weed out > those I don't want. > > One other point of confusion is that I saw __vmware__ in my list of > objects with SeInteractiveLogonRight but that users doesn't show in > the Welcome screen and isn't in the registry as a special account. It > turned out that there is both a __vmware__ user and __vmware__ group, > and it is the group has interactive logon rights! > > I may still use KBC.WIndowsSecurityUtilities if I can get ahold of it. > > -Mont > > > On 1/8/07, Mont Rothstein < [EMAIL PROTECTED]> wrote: > > > > I made some progress but then I got stuck. > > > > I used the LSA Functions project from CodeProject as a starting > > point and added the ability to call LsaEnumerateAccountRights. > > > > This successfully returns any rights that I have added via > > LsaAddAccountRights. However, that is all that it shows. Any > > accounts that I have not added privileges via LsaAddAccountRights > > return "record not found". > > > > That would be fine if I needed to add and verify rights but I need > > to determine what already has interactive login rights. > > > > Any ideas what I might have done wrong? > > > > I can post the code but all I did was to take the policyHandle as > > returned by LsaOpenPolicy and pass it along with the sid to > > LsaEnumerateAccountRights. > > > > Thanks, > > -Mont > > > > > > On 1/5/07, Mont Rothstein < [EMAIL PROTECTED]> wrote: > > > > > > Thanks! That was the needle I was looking for. > > > > > > -Mont > > > > > > > > > On 1/5/07, Peter Ritchie > > > <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > The quick answer is you have to Pinvoke > > > > LsaEnumerateAccountRights to find out what rights a particular > > > > account has the > > > > "SeDenyInteractiveLogonRight"- > > > > -which means that account can't login locally. > > > > > > > > Of course, it's much easier said then done... > > > > > > > > There was a recent thread on this list discussing the ability to > > > > test/set the logon-as-service right (same logic, looking for > > > > "SeServiceLogonRight"). That thread seemed to delegate to > > > > http://www.codeproject.com/csharp/lsadotnet.asp ; but, I don't > > > > think that actually "tests" whether an account has a particular > > > > right or not. > > > > > > > > On Fri, 5 Jan 2007 10:16:00 -0800, Mont Rothstein < > > > > [EMAIL PROTECTED] > wrote: > > > > > > > > >Yes, that is what I mean. > > > > > > > > > >Is there a way to determine which acounts do or don't have > > > > >local > > > > login > > > > >rights? > > > > > > > > =================================== > > > > This list is hosted by DevelopMentor(r) http://www.develop.com > > > > > > > > View archives and manage your subscription(s) at > > > > http://discuss.develop.com > > > > > > > > > > > > > =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
