Tim Roberts <t...@probo.com> wrote: > Bill Janssen wrote: > > I've got an MSI installer for installing my UpLib server. I use the > > following bit of code in a custom action to grant the user the right to > > "log on as a service", so that the service can run under their user-id: > > > > import win32api, win32security > > > > username = win32api.GetUserNameEx(win32api.NameSamCompatible) > > domain, username = username.split("\\") > > policy_handle = win32security.LsaOpenPolicy(domain, > > win32security.POLICY_ALL_ACCESS) > > sid_obj, domain, tmp = win32security.LookupAccountName(domain, username) > > win32security.LsaAddAccountRights( policy_handle, sid_obj, > > ('SeServiceLogonRight',) ) > > win32security.LsaClose( policy_handle ) > > > > This seems to work fine if the user is running the installer from a > > local machine account, but fails if they are running under their domain > > network account: > > > > Traceback (most recent call last): > > File > > "c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py", line > > 410, in <module> > > policy_handle = win32security.LsaOpenPolicy(domain, > > win32security.POLICY_ALL_ACCESS) > > pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.') > > > > I've tried this on a couple of machines, and it's the same on each. > > > > Now, if that user opens up admin tools, then local security, then user > > rights, he can give himself this right. So it's not a privilege problem; > > I'm just not doing it right in Python. > > Notice that the failure here is in LsaOpenPolicy, not in > LsaAddAccountRight. Your code as you have it is trying to modify the > DOMAIN policy to add the service logon right. I THINK what you really > want is to add the service logon right ON the local machine FOR this > domain account. You don't want to modify the domain. To do that, I > think you want to specify None as the first parameter to LsaOpenPolicy. > > However, I admit that NT security is a twisty maze of little passages, > all different, so it's quite possible this is just a wrong turn.
Got it to work. I was just being too complicated for my own good. Here's the working code: try: import win32api, win32security username = win32api.GetUserNameEx(win32api.NameSamCompatible) print 'granting "logon as a service" rights to ' + username policy_handle = win32security.LsaOpenPolicy(None, win32security.POLICY_ALL_ACCESS) sid_obj, domain, tmp = win32security.LookupAccountName(None, username) win32security.LsaAddAccountRights( policy_handle, sid_obj, ('SeServiceLogonRight',) ) win32security.LsaClose( policy_handle ) except: print 'Exception granting user the SeServiceLogonRight:' print ''.join(traceback.format_exception(*sys.exc_info())) Thanks for the help. Bill _______________________________________________ python-win32 mailing list python-win32@python.org http://mail.python.org/mailman/listinfo/python-win32