How to impersonate a user?

I need to make an application, which would run in the context of a user, whose credentials (username & pass) would be hardcoded in the app. All this work should be done on Win NT.

I tried logonuser () function, but it needs "Act as a part of operating system" right for the user executing the app. The app will be launched by common users and I don't want to assign them this strong right.

Any idea is good.

Who is Participating?
bnemmersConnect With a Mentor Commented:
Take a look at the document from Micro$oft. It out lines the only two methods to use

LogonUser or
Security Support Provider Interface (SSPI)

I never tried SSPI and I don't know if it will provide the acces you need

Also su.exe ver 2.0 required that the user have these rights
   Act as part of the operating system
   Increase Quotas
   Replace a process level token
   Restore files and directories

For Version 2.99, these privileges are no longer required when using SU. In order to support this, you must install a new service-based component used by SU. The service component is encapsulated in the Suss.exe executable file, and this is installed by using the following command at a command prompt:
suss.exe -install

i think i might have an idea for you, this is not exactly what you want but it might give you some ideas...

the other day i was writing some service apps and service apps all have to run in default user, this means than it is running in a different user profile to the one logged on at the time...

to create the service in the default users profile area ( which is unobtainable by the normal users ) i had to create a registry set of my details for delphi, and then run a task which opened up a dos window ( the run schedule runs tasks in default memory area ) the dos window is then useing a different user to the main user ( NT is quite strict i beleave about users etc).
this meant that i could do work in the default users area , then i had to copy the registry settings i had to this area ( as they are different) and run delphi from this area, this meant that all code was compiled into the defaut users service area.
then log back on to normal user, the service is there running and safe and users cannot do anything to it as its not under there security whatever....

this is only basicly what i did, but the idea ETC came from a delphi mag a couple of months ago.

i know that it wasnt what you wanted but maybe if you cant do what you want maybe you could use a similar method as i did. if you want i will look up the issue number ETC and forward it on..

My approach to this would be to have your application in two parts.  The first is an NT Service that you can have started automatically as your pre-defined user with 'Run as part of system' right granted.  Then have a client utility that your users can use to invoke/query whatever your service is doing.  For this to work you need to get into IPC (Inter process communication).

Alternatlivly, (and this is much easier), use the RunAs command line tool(Win2000 only).  To run your app under the guise of a different user than the current logged in user.  If you dont want your users to see the "Runas Admin Password Program.exe" in a batch file, you'll need a starter application with the command line hard coded.

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

untakerAuthor Commented:

Non of your suggestions are good for me.

1. Systems are WinNT 4.0, so runas is of no use
2. I have many clients. I don't want to go to each of them and install a service at their comps. I just want to make an .exe, which i'll put into their logon scripts.

The SE_TCB_NAME privilege must be assigned to the user that is login to the NT box when they run the application you are writing.
However by assigning this right to a user, it opens a huge security hole and should not be granted. If you assign the right to all users, the call to LogonUser should work.

The best approach is to create a NT service program and let it logon using the local system account. This account has SE_TCB_NAME privilege by default and can do all of the action that you require.

You could install the service program when you install the desktop application.

Also you might reconsider not to hardcode the user credentials. If they decide to change the domain policies or whatever, then you might have to recompile every 45 days to change the user password. The best approach would to encrypt this info in to the registry and provide some dialog to change the account info.

"The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. The function fails if the calling process does not have the SE_TCB_NAME privilege, and GetLastError returns the error code ERROR_PRIVILEGE_NOT_HELD. For more information about privileges, see Privileges."

untakerAuthor Commented:

Sorry, but everything you said had already been written here. In my question I said that I know about the SE_TCB_NAME limitation, and in my comment I said that I don't want to install a service on comps. I just want a one-time-used program, that makes some changes that require administrator privileges, and it will be run from a logonscript.

There must be a way, because there exists a ResKit utility su.exe, that can start a program under different user's credentials.
have you thought about taking a step back and having a maintenance program of your own that controls your privilages in your software, and have the userlogin name as your operator, then depending on what user is logged in just use those privivales, obviosly keeping the privilages program away from general eyes.
it is a simple approach but if written correctly could be as secure as you want it to be...
untakerAuthor Commented:

I don't understand very much what you wanted to say...
Please try it again and a little bit easier.. :-))

well if you create a maintenace program that has a list of your users in

then have a table of privilages available

Access to program 1 section A
  "     "    "    1 Section B
  "     "    "    2 Section A

then have a bit that allows you to say that
kristian has access to program 1 section A + B
and UNTAKER has access to program 1 sect' A + prog 2 sect A

then in your program check the current operator and see if (s)he has access to the section you are about to enter.
if not then dont let them...

just in case untaker im off for 6 days (i cant believe it) now so im affraid i wont know if i was any help to you or not but i will now be un-obtainable so good luck, hope the Previous comment made sence, kris.
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.

------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link 
POINTS FOR EXPERTS awaiting comments are listed here ->

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
Thank you everyone.
Moderator @ Experts Exchange
Zero response, finalized.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.