Bill Janssen wrote:
> I've got an MSI installer for installing my UpLib server. I use the
> following bit of code in a custom action to grant the user the right to
> "log on as a service", so that the service can run under their user-id:
>
> import win32api, win32security
>
> username = win32api.GetUserNameEx(win32api.NameSamCompatible)
> domain, username = username.split("\\")
> policy_handle = win32security.LsaOpenPolicy(domain,
> win32security.POLICY_ALL_ACCESS)
> sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
> win32security.LsaAddAccountRights( policy_handle, sid_obj,
> ('SeServiceLogonRight',) )
> win32security.LsaClose( policy_handle )
>
> This seems to work fine if the user is running the installer from a
> local machine account, but fails if they are running under their domain
> network account:
>
> Traceback (most recent call last):
> File "c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py",
> line 410, in <module>
> policy_handle = win32security.LsaOpenPolicy(domain,
> win32security.POLICY_ALL_ACCESS)
> pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
>
> I've tried this on a couple of machines, and it's the same on each.
>
> Now, if that user opens up admin tools, then local security, then user
> rights, he can give himself this right. So it's not a privilege problem;
> I'm just not doing it right in Python.
Notice that the failure here is in LsaOpenPolicy, not in
LsaAddAccountRight. Your code as you have it is trying to modify the
DOMAIN policy to add the service logon right. I THINK what you really
want is to add the service logon right ON the local machine FOR this
domain account. You don't want to modify the domain. To do that, I
think you want to specify None as the first parameter to LsaOpenPolicy.
However, I admit that NT security is a twisty maze of little passages,
all different, so it's quite possible this is just a wrong turn.
--
Tim Roberts, t...@probo.com
Providenza & Boekelheide, Inc.
_______________________________________________
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
