Solved

LogonUser() do not work (privilege problem) !

Posted on 2000-04-08
15
1,063 Views
Last Modified: 2013-12-03

I'm logged in as an Administrator, and i cannot execute the LogonUser()
because i have insuficients rights to execute this function, EVEN if i
set up the SE_TCB_NAME privilege. All functions execute correctly and
return 1 as "ret" parameter except LogonUser().

What are the advantages to be an Administrator if i haven't all rights
to execute functions.

I want to execute the LogonUser(), firstly, with an Administrator login and
secondly if possible, with an simple user login.


  TOKEN_PRIVILEGES tkp;
  BOOL ret;

  ret = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &htoken2 );

  ret = LookupPrivilegeValue( NULL, SE_TCB_NAME, &tkp.Privileges[0].Luid );

  tkp.PrivilegeCount = 1;
  tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  ret = AdjustTokenPrivileges( htoken2, FALSE, &tkp, 0, NULL, 0 );

  ret = LogonUser( "username", NULL, "password", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT,
        &htoken );            
0
Comment
Question by:mars
  • 6
  • 3
  • 3
  • +2
15 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 2696157
Please note that checking ret is not enough.  To reference the SDK docs for AdjustTokenPrivileges:

Note:  The NewState parameter can specify privileges that the token does not have, without causing the function to fail. In this case, the function adjusts the privileges that the token does have, ignores the other privileges, and returns success. Call the GetLastError function to determine whether the function adjusted all of the specified privileges. The PreviousState parameter indicates the privileges that were adjusted.


If you check what GetLastError is returning, the problem will probably be clear.

0
 

Author Comment

by:mars
ID: 2696207
A) ret = LookupPrivilegeValue( NULL, SE_TCB_NAME, &tkp.Privileges[0].Luid );

I've error # 997, "An overlapping I/O operation is running"

B)ret = AdjustTokenPrivileges( htoken2, FALSE, &tkp, 0, NULL, 0 );

I've error # 1300, "The caller does not have all referenced privileges".

C)LogonUser( ... )

I've error # 1314, "Sufficient privilege missing"
   

Is this help you ?
0
 
LVL 32

Expert Comment

by:jhance
ID: 2696297
I've error # 997, "An overlapping I/O operation is running"

Not an error from LookupPrivilegeValue.  No need to check this function's GetLastError().


I've error # 1300, "The caller does not have all referenced privileges".


So there you have it!  For some reason you requested SE_TCB_NAME but it was not granted.  Are you running this as administrator?

Actually, after looking at the SDK again I see that you shouldn't have to call AdjustTokenPrivileges at all.

From LogonUser():

The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. If the calling process does not have this privilege, LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.


This confirms my theory that your account doesn't have this privilege enabled.  Both your call to AdjustTokenPrivileges and LogonUser fail to work.
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 

Author Comment

by:mars
ID: 2696399
It's crazy, but i'm really logged in as an "Administrator". I see my account in the "AdministratorS" group.

I'm under Windows 2000, and i find very strange that i cannot detailed for each user, the pivilege granted or denied. For instance, i cannot add the "shutdown" privilege to ONE user.

Under Windows NT 4.0, it was possible.

Any ideas ?
0
 

Author Comment

by:mars
ID: 2696423
I runned my application under Win NT 4.0 as an Administrator user, the result is the same.

The detailed privileges under Win NT 4.0 can be modified under USRMGR.EXE, menu "Strategy", item "Users rights".
It does not exist under Win 2000 Management console.
0
 
LVL 32

Expert Comment

by:jhance
ID: 2696439
Did you try LogonUser() without calling AdjustTokenPrivileges?
0
 
LVL 86

Expert Comment

by:jkr
ID: 2696644
>>I'm under Windows 2000, and i find
>>very strange that i cannot detailed
>>for each user, the pivilege granted
>>or denied. For instance, i cannot add
>>the "shutdown" privilege to ONE user.

You can. Go to the Control Panel, select the 'Administration' applet, choose 'Local Security Policy' and proceed to 'Conputer Configuration->Windows Settings->Security Settings->Local Policies->Granting User Privileges'. There you'll be able to grant 'SE_TCB_NAME' to 'Administrator' (it isn't granted by default). BTW, I'm not suer about the english names of the above (using a german Win2k).

0
 
LVL 15

Expert Comment

by:NickRepin
ID: 2696845
<<The first and biggest of these restrictions is that the process calling LogonUser must have the SE_TCB_NAME privilege (in User Manager, this is the "Act as part of the Operating System" right)>>
0
 
LVL 15

Accepted Solution

by:
NickRepin earned 100 total points
ID: 2696848
If I'm not wrong, "Act as part of the Operating System"  is not assigned to Administrators by default.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 2697501
listening...
0
 

Author Comment

by:mars
ID: 2697749
Great, it works perfectly. Thank you all of us.
0
 
LVL 86

Expert Comment

by:jkr
ID: 2698305
>>If I'm not wrong, "Act as part of the Operating
>>System"  is not assigned to Administrators by default.

Err, mars, didn't I already mention this???
0
 

Author Comment

by:mars
ID: 2699373
Yes, you're right. I'm very disapointed about the experts exchange points. Your response helps me in DETAILED (i thank you for this). I realize TODAY, when i accepted an anwser, i made a mistake by choosing "NickRepin" answer.
NickRepin was right, but you anwsered correctly to my question before him.

I think, the points system must evolved in such a way, that i can choose not only one expert, but many experts, to be granted some SAME points (here: 100 points for each experts i grade).

Thank you for your precious help and keep going.

0
 
LVL 86

Expert Comment

by:jkr
ID: 2699960
>>I think, the points system must
>>evolved in such a way, that i can
>>choose not only one expert, but many
>>experts, to be granted some SAME
>>points

However, you still could address the costomer service to handle such issues (http://www1.experts-exchange.com/Customer_Service/Experts_Exchange/)...
0
 

Author Comment

by:mars
ID: 2701019
Ok, i will suggest it.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now