How to call LogonUser from an EXE, not a service.
Posted on 1998-12-08
When my software is running from a regular User account it needs to do stuff that requires Admin privilages. So I ask the user to log in as Admin and prompt them to type a user name, password and Domain. I then call LoginUser to get a token that has Admin privileges. The problem is that the code only works when the user is logged on as Admin, which defeats the whole puprose. When the LoginUser function is called while the user is logged in as a regulard user, that is, it does not have SE_TCB_NAME privilege set, the function doesn't work. In the NT User Manager program, the SE_TCB_NAME privilege is known as the "Act as the operating system" user right. I must give the user this right, or else LoginUser doesn't work. Microsoft recommends that LoginUser be called from a service, which is usually run from the LocalSystem account, which always has the SE_TCB_NAME privilege set.