eyalras
asked on
Impersonation while network is disconnected
Hi,
I have win2k server for my network and winXPpro / Win2k pro as workstations
im trying to create process as user from the administrator group while logged in as simple user
im using the CreateProcessWithLogonW API for this but im getting error 1355 - "The specified domain either does not exist or could not be contacted".
I can 'log-in' with LogonUser even if the network is disconnected but calling CreateProcessAsUser (with the LogonUser token) gets error number 1314 - A required privilege is not held by the client.
any suggestions?
Regards,
I have win2k server for my network and winXPpro / Win2k pro as workstations
im trying to create process as user from the administrator group while logged in as simple user
im using the CreateProcessWithLogonW API for this but im getting error 1355 - "The specified domain either does not exist or could not be contacted".
I can 'log-in' with LogonUser even if the network is disconnected but calling CreateProcessAsUser (with the LogonUser token) gets error number 1314 - A required privilege is not held by the client.
any suggestions?
Regards,
ASKER
where should i assign these?
SE_ASSIGNPRIMARYTOKEN_NAME
SE_INCREASE_QUOTA_NAME
SE_ASSIGNPRIMARYTOKEN_NAME
SE_INCREASE_QUOTA_NAME
On the local computer
AdministrativeTools -> Local Security Policy->Local Policies->User Rights Assignment
In AD you can create a GPO to assign the rights
Computer Configuration->Security Settings->Local Policies->User Rights Assignment.
Assign as per normal security under NT/XP/2000
AdministrativeTools -> Local Security Policy->Local Policies->User Rights Assignment
In AD you can create a GPO to assign the rights
Computer Configuration->Security Settings->Local Policies->User Rights Assignment.
Assign as per normal security under NT/XP/2000
ASKER
Please spread your answer since im not so familiar with AD
the user i want to use the impersonation is Administrator in the domain
what fields should i change in the the User Rights...
In addition you mentioned the AdjustTokenPriviliges, how should i insert it to my code?
regards,
the user i want to use the impersonation is Administrator in the domain
what fields should i change in the the User Rights...
In addition you mentioned the AdjustTokenPriviliges, how should i insert it to my code?
regards,
Ok, firstly here is an MSDN article on how to do this in VB - you should be able to modify for your needs
http://support.microsoft.com/default.aspx?scid=kb;en-us;285879
To set rights do as follows
Open Local Security Policy in Administrative tools on the machine you want to run this on.
go to
Local Policies->User Rights Assignment
Select the Increase Quotas option and make sure the user's / groups that need this right (the user the process will be running under) is added to this right.
Do the same for "Replace a process level token".
You will also need the following rights "Act as part of the Operating System" if you are going to use LogonUser.
Adjusting token priviliges
Note this may not be required - sometimes is if you need certain rights to run a particular API call.
For this refer to the link I posted earlier
Copy the SetPriviliges code into your project and call it as follows (assumes hToken is the token for the current process - again refer to the article for more info)
if ( !SetPrivilege ( hToken, SE_ASSIGNPRIMARYTOKEN_NAME
{
// handle the error
}
if ( !SetPrivilege ( hToken, SE_INCREASE_QUOTA_NAME_NAM
{
// handle the error
}
You should now be able to make your call to CreateProcessAsUser.
http://support.microsoft.com/default.aspx?scid=kb;en-us;285879
To set rights do as follows
Open Local Security Policy in Administrative tools on the machine you want to run this on.
go to
Local Policies->User Rights Assignment
Select the Increase Quotas option and make sure the user's / groups that need this right (the user the process will be running under) is added to this right.
Do the same for "Replace a process level token".
You will also need the following rights "Act as part of the Operating System" if you are going to use LogonUser.
Adjusting token priviliges
Note this may not be required - sometimes is if you need certain rights to run a particular API call.
For this refer to the link I posted earlier
Copy the SetPriviliges code into your project and call it as follows (assumes hToken is the token for the current process - again refer to the article for more info)
if ( !SetPrivilege ( hToken, SE_ASSIGNPRIMARYTOKEN_NAME
{
// handle the error
}
if ( !SetPrivilege ( hToken, SE_INCREASE_QUOTA_NAME_NAM
{
// handle the error
}
You should now be able to make your call to CreateProcessAsUser.
ASKER
in the article you point to, it mentioned that with CreateProcessWithLogonW() there is no need to changes the AD settings (which is much better option for me). is it true, can this function replace the LogonUser and Createprocess as user ?
Yes - sorry didn't read the article properly - it differentiats between NT4 and Win2k
ASKER
well,
with this function im getting error 1355 - "The specified domain either does not exist or could not be contacted".
as mentioned in my first Q
can you help me with this?
with this function im getting error 1355 - "The specified domain either does not exist or could not be contacted".
as mentioned in my first Q
can you help me with this?
Can you check if you have the following privilige for the account you are running this under
Act as part of the operating system.
If this does not work give me some time and I will try and knock together some sample code.
Act as part of the operating system.
If this does not work give me some time and I will try and knock together some sample code.
ASKER
i have this priviliges for all the domain users...
ASKER
dont forget i disconnect the newtwork cable
but as you probably know under 2k and later you dont have to be cinnected to log in
but as you probably know under 2k and later you dont have to be cinnected to log in
How are you specifying the domain name?
ASKER
what do u mean?
by now i have a tester which i put the domain name as hardcode
and im not using the @ sign for the user name and domain but each of them as separate argument
by now i have a tester which i put the domain name as hardcode
and im not using the @ sign for the user name and domain but each of them as separate argument
And what logon flags are you using?
ASKER
for CreateProcessWithLogonW: here the code
ret = 0
ret = CreateProcessWithLogonW(St
OutputDebugString ("CreateProcessWithLogonW:
for the logonUser + createprocessAsUser:
ret = 0
ret = LogonUser("username", "testdomain", "1234", LOGON32_LOGON_INTERACTIVE,
OutputDebugString ("LogonUser: testdomain return = " & ret & " return code = " & Err.LastDllError)
ret = 0
ret = CreateProcessAsUser(phToke
OutputDebugString ("CreateProcessAsUser: testdomain return = " & ret & " return code = " & Err.LastDllError)
ret = 0
ret = CreateProcessWithLogonW(St
OutputDebugString ("CreateProcessWithLogonW:
for the logonUser + createprocessAsUser:
ret = 0
ret = LogonUser("username", "testdomain", "1234", LOGON32_LOGON_INTERACTIVE,
OutputDebugString ("LogonUser: testdomain return = " & ret & " return code = " & Err.LastDllError)
ret = 0
ret = CreateProcessAsUser(phToke
OutputDebugString ("CreateProcessAsUser: testdomain return = " & ret & " return code = " & Err.LastDllError)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
well, this solution is good. THANKS A LOT
...and you own the points...
can you explain what Logon flag is 0
...and you own the points...
can you explain what Logon flag is 0
ASKER
I want to accept your ansewr and im not sure this thread could get any more comments after it so please send your answer to Dovalle@lamda-sys.co.il
Thanks again
Thanks again
>>can you explain what Logon flag is 0
Because if you use 'LOGON_WITH_PROFILE', the client needs to contact the logon server to obtain the profile. If not, the cached credentials can be used.
BTW, you might find http://support.microsoft.com/default.aspx?scid=kb;en-us;285879 ("How To Start a Process as Another User from Visual Basic") useful for further reference.
Because if you use 'LOGON_WITH_PROFILE', the client needs to contact the logon server to obtain the profile. If not, the cached credentials can be used.
BTW, you might find http://support.microsoft.com/default.aspx?scid=kb;en-us;285879 ("How To Start a Process as Another User from Visual Basic") useful for further reference.
SE_ASSIGNPRIMARYTOKEN_NAME
SE_INCREASE_QUOTA_NAME
Enabling these rights may not be enough for it to work though - you may have to AdjustTokenPriviliges in your code in order for this to work correctly.
Look at the SetPrivilige function in the code sample at
http://support.microsoft.com/default.aspx?scid=kb;en-us;131065
for more info on how to adjust priviliges properly.
HTH