1. Run script below with an admin account.
2. LogOff
Now try your impersonation.
----------------------------------------------------------------------------
--------------------------------
unless ($error = Enable($targetLogin))
{
print $error;
}
sub Enable
{
my $login;
$login = scalar @_ ? \@_ : [ Win32::DomainName() . '\\' .
Win32::LoginName() ] ;
my $server = "\\\\".Win32::NodeName();
return Win32::Lanman::GetLastError unless
Win32::Lanman::GrantPrivilegeToAccount($server,
Win32::Lanman::SE_TCB_NAME(), $login)
and Win32::Lanman::GrantPrivilegeToAccount($server,
Win32::Lanman::SE_CHANGE_NOTIFY_NAME(), $login)
and Win32::Lanman::GrantPrivilegeToAccount($server,
Win32::Lanman::SE_ASSIGNPRIMARYTOKEN_NAME(), $login);
return 0;
}
-----Original Message-----
From: Dean Theophilou [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 2:52 PM
To: Perl-win32-admin list (E-mail)
Subject: RE: Win32::Adminmisc
To be perfectly honest, I'm stumped. Although I'm using build 630,
I'm not
sure if that is relevant. The only other thing I can think of is that since
the
domain is not being specified (the first parameter of the LogonAsUser
function),
that the user account is undefined. Perhaps you can ask Mr. Dave Roth (the
creator the module) if there is a specific GetLastError function for the
AdminMisc module (I looked at the docs for that module and I didn't see one,
but
you never know).
...a few minutes pass while consulting Win32 Perl Scripting: The
Admininistrator's Handbook (also by Dave Roth)...
I was just reading that since the four required privileges are
local, "a user
must have these privileges on each computer that she [ignore the PC pronoun
usage :)] intends to run scripts that call the LogonAsUser() function." You
might want to check that. You might also want to check if the user who has
been
assigned these privileges has been logged off and then on again, so that the
privileges can take effect. Anyway, if none of this works, then I'm all out
of
ideas (I still consider myself somewhat of beginner Perl user); sorry.
Dean
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Ailes, Kevin
Sent: Thursday, January 17, 2002 2:11 PM
To: Perl-win32-admin list (E-mail)
Subject: RE: Win32::Adminmisc
I tried that and I get.....
before LogonAsUser(): name = apache
The operation completed successfully.
Failed to logon as apache.
The Win32 error number is: 1
The Win32 error text is: Incorrect function
The Perl error number is: 0
The Perl error text is:
.............................
I am attempting to use this script via an apache web server that is running
as the "apache" user.
I have set all of the privileges as described in prior posts.
What is with the "Incorrect function" result?
I am using binary build 623 of activestate perl 5.6.0
Kevin Ailes
Administrator
OTTO Engineering
> -----Original Message-----
> From: Dean Theophilou [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 17, 2002 3:57 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Win32::Adminmisc
>
> Hmmm...I'm not really sure what's happening here. That the operation
> "completed
> successfully" is obviously wrong. How about trying something like this
> (which
> is borrowed from Win32 Perl Programming: The Standard Extensions, 2 ed.,
> by Dave
> Roth):
>
> use Win32::AdminMisc;
> use Win32;
>
> $! = $^E = 0;
> $name = Win32::AdminMisc::GetLogonName();
> print("before LogonAsUser(): name = $name\n");
>
> if (Win32::AdminMisc::LogonAsUser("",
> "bob",
> "welcome",
> LOGON32_LOGON_INTERACTIVE )) {
> $name = Win32::AdminMisc::GetLogonName();
> print("Successfully. After LogonAsUser(), name = $name\n");
>
> } else {
> print Win32::FormatMessage(Win32::GetLastError());
> print "Failed to logon as $name.\n";
> print "Currently logged on as: " . Win32::AdminMisc::GetLogonName();
> print "The Win32 error number is: ", int($^E), "\n";
> print "The Win32 error text is: $^E\n";
> print "The Perl error number is: ", int($!), "\n";
> print "The Perl error text is: $!\n";
>
> }
>
> Try that and see what error comes up.
>
>
> Dean
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 17, 2002 2:13 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Win32::Adminmisc
>
>
> Hello Dean,
>
> Thanks for your help.
> I tried as you mentionned in your message but it didn't work.
>
> Win32::FormatMessage(Win32::GetLastError()) ===> printed "The operation
> completed successfully"
> The errno $! was empty.
>
> Environment:
> - ActiveState Perl 5.005_03 build 522
> - Extension Win32::AdminMisc Perl 5.005 ActiveState Build (Last updated
> 20000117)
> - The user who runs the script is a domain administrator (Eric) and the 4
> privileges were set for him
> - The impersonated user is an end-user (Bob) in the same domain
>
>
> Here is the test script:
> ##############################################################
> use Win32::AdminMisc;
> use Win32;
>
> $name = Win32::AdminMisc::GetLogonName();
> print("before LogonAsUser(): name = $name\n");
>
> if (Win32::AdminMisc::LogonAsUser("",
> "bob",
> "welcome",
> LOGON32_LOGON_INTERACTIVE )) {
> $name = Win32::AdminMisc::GetLogonName();
> print("Successfully. After LogonAsUser(), name = $name\n");
>
> } else {
> print Win32::FormatMessage(Win32::GetLastError());
> print "Failed to logon: Errno=$!.\n";
> }
> ##############################################################
>
> Here is the output:
>
> before LogonAsUser(): name = Eric
> The operation completed successfully.
> Failed to logon: Errno=.
>
>
> Eric.
>
> -----Original Message-----
> From: Dean Theophilou [mailto:[EMAIL PROTECTED]]
> Sent: jeudi 17 janvier 2002 4:15
> To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
> Hello:
>
> Ok, let's start at the beginning. The user who will be running the
> script
> needs to have the following four privileges:
>
> Act as part of the OS
> Bypass traverse checking (this is usually a default privilege)
> Increase quotas
> Replace a process level token
>
> Note that these privileges ARE for the person who will be running
> the script;
> NOT the person you are trying to impersonate. The person you end of
> impersonating ("$UserID, $UserPassword", in your example below) does not
> need
> these privileges, for purposes of the LogonAsUser function, that is.
>
> After you make the call to LogonAsUser, make a call to
> Win32::AdminMisc::GetLogonName to check if the impersonation succeeded.
> If
> it
> did not succeed, get the last error and print it out to see what it says;
> do
> something like this:
>
> print Win32::FormatMessage(Win32::GetLastError());
>
> You might also want to print out the regular Perl error with $!.
> Anyway, give
> that a shot, and if it doesn't work, then let me know what error was
> produced.
> Good luck.
>
>
> Dean Theophilou
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> DePriest, Jason R.
> Sent: Wednesday, January 16, 2002 7:03 AM
> To: 'Dean Theophilou'; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
> I have tried LOGON32_LOGON_BATH and LOGON32_LOGON_INTERACTIVE with the
> same
> results.
>
> There must be something else we are overlooking.
>
> The system I am running the script on is a Windows NT 4.0 Server,
> Enterprise
> Edition member server of a Windows NT domain. The account I am trying to
> run the script as is in that Windows NT domain.
> The account has been made a member of the local administrator's group the
> server as well as a domain administrator on the domain.
> The account has also been individually assigned the rights that were
> detailed in previous emails to/from this list.
>
> Does that help any?
>
> -Jason
>
> > -----Original Message-----
> > From: Dean Theophilou [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 15, 2002 06:11 PM
> > To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> > Subject: RE: Win32::Adminmisc
> >
> > How about trying LOGON32_LOGON_INTERACTIVE as the fourth parameter of
> the
> > LogonAsUser function? This is what I use, so I know it works.
> >
> > Dean Theophilou
> >
> >
> > -----Original Message-----
> > From: DePriest, Jason R. [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 15, 2002 12:28 PM
> > To: 'Dean Theophilou'; DePriest, Jason R.; 'Ailes, Kevin';
> > Perl-win32-admin list (E-mail)
> > Subject: RE: Win32::Adminmisc
> >
> >
> >
> > My biggest problem is this:
> >
> > <script>
> >
> Win32::AdminMisc::LogonAsUser($Domain,$UserID,$UserPassword,LOGON32_LOGON_
> > SERVICE);
> > $WhoAmI = Win32::AdminMisc::GetLogonName();
> > </script>
> >
> > $WhoAmI is invariably listed as the currently logged in user, whether
> > myself or "SYSTEM" when run as a scheduled task.
> >
> > The $UserID has been granted each right that you listed as the rights it
> > ~must~ have to work correctly.
> >
> > -Jason
> >
> > -----Original Message-----
> > From: Dean Theophilou [ <mailto:[EMAIL PROTECTED]>]
> > Sent: Tuesday, January 15, 2002 02:14 PM
> > To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list
> (E-mail)
> >
> > Subject: RE: Win32::Adminmisc
> >
> > My suggestion is to keep the standard privileges for the Admin group and
> > the four required for the logonasuser function. The four required for
> the
> > function are:
> >
> >
> > 1) Bypass traverse checking
> > 2) Act as part of the OS
> > 3) Increase quotas
> > 4) Replace a process level token
> >
> >
> > Dean Theophilou
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [
> > <mailto:[EMAIL PROTECTED]>]On Behalf Of
> > DePriest, Jason R.
> >
> > Sent: Tuesday, January 15, 2002 12:04 PM
> > To: 'Dean Theophilou'; DePriest, Jason R.; 'Ailes, Kevin';
> > Perl-win32-admin list (E-mail)
> > Subject: RE: Win32::Adminmisc
> >
> >
> >
> > I cannot speak for anyone else who has had this problem, but, yes the
> > account was made a member of the local administrators and domain
> > administrators group.
> >
> > I also added the following rights to the particular account:
> > Act as part of the operating system,
> > Bypass traverse checking (even though this was already granted to a
> group
> > it was in),
> > Increase Quotas,
> > Log on as a batch job,
> > Log on as a service,
> > Log on locally (even though this was already granted to a group it was
> > in), and
> > Replace a process level token.
> >
> > The problem still remained.
> >
> > -Jason
> >
> > -----Original Message-----
> > From: Dean Theophilou [ < <mailto:[EMAIL PROTECTED]>>]
> > Sent: Tuesday, January 15, 2002 01:10 PM
> > To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> > Subject: RE: Win32::Adminmisc
> >
> >
> > Hello:
> >
> > Did you set the privileges required for the user you want to log
> > on as? For
> > example, if you are logged on as "Fred", and you want to switch to
> > "Wilma", then
> > Wilma must have the four privileges listed on p. 228 of Win32 Perl
> > Scripting:
> > The Administrator's Handbook, by Dave Roth.
> >
> >
> > Dean Theophilou
> > Genisar
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [ < <mailto:[EMAIL PROTECTED]>>]On Behalf
> Of
> >
> > DePriest, Jason R.
> > Sent: Tuesday, January 15, 2002 9:50 AM
> > To: 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> > Subject: RE: Win32::Adminmisc
> >
> >
> > I am one of the people who have had the same problem.
> >
> > It seems like, after logging on as the specified user, the script
> forgets
> > who it is logged in as and tries to run as SYSTEM or whatever...
> >
> > I was thinking that you might have to use
> > Win32::AdminMisc::CreateProcessAsUser along with
> > Win32::AdminMisc::LogonAsUser, but I didn't have the time nor the
> patience
> >
> > to try and figure out Win32::AdminMisc::CreateProcessAsUser.
> >
> > For my project, instead of creating a service like I was originally
> > planning
> > on, I used cygwin + cron to schedule the task and let cron run it in its
> > heightened context instead.
> >
> > -Jason
> >
> > -----Original Message-----
> > From: Ailes, Kevin [ < <mailto:[EMAIL PROTECTED]>>]
> > Sent: Tuesday, January 15, 2002 11:47 AM
> > To: Perl-win32-admin list (E-mail)
> > Subject: Win32::Adminmisc
> >
> >
> > I now realize that I need to set up the user account that the apache web
> > service runs under to have some advanced capabilities or use the
> > Win32::Adminmisc module to logon as a different user.(impersonate a user
> > with advanced privelages)
> >
> > Unfortunately for me, I can not get the logonasuser method to function
> > properly.
> >
> > I searched Dave Roth's web site for instructions. I found and set the
> > privelages for the apache web user account according to the faq.
> > No luck.
> >
> > I searched the usenet groups from google and found many references to
> the
> > same problem I am having, however there were no answers other than to
> set
> > the privelages on the user account.(which I have done.) I even
> restarted
> > the web server service. I haven't tried restarting the machine.....yet.
> >
> > I searched the Adminmisc newsgroup hosted by Dave's site. There were
> many
> >
> > un-answered questions regarding the logonasuser method failing in a
> > similar
> > manner to what I have described.
> >
> > Am I missing something here?
> >
> > Kevin Ailes
> > Administrator
> > OTTO Engineering
> >
> > _______________________________________________
> > Perl-Win32-Admin mailing list
> > [EMAIL PROTECTED]
> > < <http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin>>
> > _______________________________________________
> > Perl-Win32-Admin mailing list
> > [EMAIL PROTECTED]
> > < <http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin>>
> >
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
>
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
