Tim Roberts <t...@probo.com> wrote:
> Bill Janssen wrote:
> > I've got an MSI installer for installing my UpLib server. I use the
> > following bit of code in a custom action to grant the user the right to
> > "log on as a service", so that the service can run under their user-id:
> >
> > import win32api, win32security
> >
> > username = win32api.GetUserNameEx(win32api.NameSamCompatible)
> > domain, username = username.split("\\")
> > policy_handle = win32security.LsaOpenPolicy(domain,
> > win32security.POLICY_ALL_ACCESS)
> > sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
> > win32security.LsaAddAccountRights( policy_handle, sid_obj,
> > ('SeServiceLogonRight',) )
> > win32security.LsaClose( policy_handle )
> >
> > This seems to work fine if the user is running the installer from a
> > local machine account, but fails if they are running under their domain
> > network account:
> >
> > Traceback (most recent call last):
> > File
> > "c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py", line
> > 410, in <module>
> > policy_handle = win32security.LsaOpenPolicy(domain,
> > win32security.POLICY_ALL_ACCESS)
> > pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
> >
> > I've tried this on a couple of machines, and it's the same on each.
> >
> > Now, if that user opens up admin tools, then local security, then user
> > rights, he can give himself this right. So it's not a privilege problem;
> > I'm just not doing it right in Python.
>
> Notice that the failure here is in LsaOpenPolicy, not in
> LsaAddAccountRight. Your code as you have it is trying to modify the
> DOMAIN policy to add the service logon right. I THINK what you really
> want is to add the service logon right ON the local machine FOR this
> domain account. You don't want to modify the domain. To do that, I
> think you want to specify None as the first parameter to LsaOpenPolicy.
>
> However, I admit that NT security is a twisty maze of little passages,
> all different, so it's quite possible this is just a wrong turn.
Got it to work. I was just being too complicated for my own good.
Here's the working code:
try:
import win32api, win32security
username = win32api.GetUserNameEx(win32api.NameSamCompatible)
print 'granting "logon as a service" rights to ' + username
policy_handle = win32security.LsaOpenPolicy(None,
win32security.POLICY_ALL_ACCESS)
sid_obj, domain, tmp = win32security.LookupAccountName(None, username)
win32security.LsaAddAccountRights( policy_handle, sid_obj,
('SeServiceLogonRight',) )
win32security.LsaClose( policy_handle )
except:
print 'Exception granting user the SeServiceLogonRight:'
print ''.join(traceback.format_exception(*sys.exc_info()))
Thanks for the help.
Bill
_______________________________________________
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
