• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 185
  • Last Modified:

Impersonation while network is disconnected

Hi,

I have win2k server for my network and winXPpro / Win2k pro as workstations
im trying to create process as user from the administrator group while logged in as simple user
im using the CreateProcessWithLogonW API for this but im getting error 1355 - "The specified domain either does not exist or could not be contacted".
I can 'log-in' with LogonUser even if the network is disconnected but calling CreateProcessAsUser (with the LogonUser token) gets error number 1314 - A required privilege is not held by the client.


any suggestions?
Regards,
0
eyalras
Asked:
eyalras
  • 10
  • 5
  • 4
1 Solution
 
Julian HansenCommented:
According to the documention the process that calls CreateProcessAsUser needs the following rights

SE_ASSIGNPRIMARYTOKEN_NAME  (Not required if hToken is a restricted version of the callers primary token)
SE_INCREASE_QUOTA_NAME

Enabling these rights may not be enough for it to work though - you may have to AdjustTokenPriviliges in your code in order for this to work correctly.

Look at the SetPrivilige function in the code sample at

http://support.microsoft.com/default.aspx?scid=kb;en-us;131065

for more info on how to adjust priviliges properly.

HTH
0
 
eyalrasAuthor Commented:
where should i assign these?

SE_ASSIGNPRIMARYTOKEN_NAME  
SE_INCREASE_QUOTA_NAME
0
 
Julian HansenCommented:
On the local computer

AdministrativeTools -> Local Security Policy->Local Policies->User Rights Assignment

In AD you can create a GPO to assign the rights

Computer Configuration->Security Settings->Local Policies->User Rights Assignment.

Assign as per normal security under NT/XP/2000


0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
eyalrasAuthor Commented:
Please spread your answer since im not so familiar with AD
the user i want to use the impersonation is Administrator in the domain
what fields should i change in the the User Rights...
In addition you mentioned the AdjustTokenPriviliges, how should i insert it to my code?
regards,
0
 
Julian HansenCommented:
Ok, firstly here is an MSDN article on how to do this in VB - you should be able to modify for your needs

http://support.microsoft.com/default.aspx?scid=kb;en-us;285879

To set rights do as follows

Open Local Security Policy in Administrative tools on the machine you want to run this on.

go to
Local Policies->User Rights Assignment
Select the Increase Quotas option and make sure the user's / groups that need this right (the user the process will be running under) is added to this right.
Do the same for "Replace a process level token".
You will also need the following rights "Act as part of the Operating System" if you are going to use LogonUser.

Adjusting token priviliges

Note this may not be required - sometimes is if you need certain rights to run a particular API call.

For this refer to the link I posted earlier

Copy the SetPriviliges code into your project and call it as follows (assumes hToken is the token for the current process - again refer to the article for more info)

if ( !SetPrivilege ( hToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE ) )
{
  // handle the error
}

if ( !SetPrivilege ( hToken, SE_INCREASE_QUOTA_NAME_NAME, TRUE ) )
{
  // handle the error
}

You should now be able to make your call to CreateProcessAsUser.




0
 
eyalrasAuthor Commented:
in the article you point to, it mentioned that with CreateProcessWithLogonW()  there is no need to changes the AD settings (which is much better option for me). is it true, can this function replace the LogonUser and Createprocess as user ?
0
 
Julian HansenCommented:
Yes - sorry didn't read the article properly - it differentiats between NT4 and Win2k

0
 
eyalrasAuthor Commented:
well,
with this function im getting error 1355 - "The specified domain either does not exist or could not be contacted".
 as mentioned in my first Q
can you help me with this?
0
 
Julian HansenCommented:
Can you check if you have the following privilige for the account you are running this under

Act as part of the operating system.

If this does not work give me some time and I will try and knock together some sample code.

0
 
eyalrasAuthor Commented:
i have this priviliges for all the domain users...
0
 
eyalrasAuthor Commented:
dont forget i disconnect the newtwork cable
but as you probably know under 2k and later you dont have to be cinnected to log in
0
 
jkrCommented:
How are you specifying the domain name?
0
 
eyalrasAuthor Commented:
what do u mean?
by now i have a tester which i put the domain name as hardcode
and im not using the @ sign for the user name and domain but each of them as separate argument
0
 
jkrCommented:
And what logon flags are you using?
0
 
eyalrasAuthor Commented:
for CreateProcessWithLogonW: here the code
ret = 0

 ret = CreateProcessWithLogonW(StrConv("username" + Chr$(0), vbUnicode), StrConv("testdomain" + Chr$(0),    vbUnicode), StrConv("1234" + Chr$(0), vbUnicode), LOGON_WITH_PROFILE, 0&, StrConv("c:\windows\notepad.exe" + Chr$(0), vbUnicode), CREATE_DEFAULT_ERROR_MODE, 0&, StrConv("c:\" + Chr$(0), vbUnicode), si, pi)

OutputDebugString ("CreateProcessWithLogonW:testdomain return  = " & ret & " return code = " & Err.LastDllError)


for the logonUser + createprocessAsUser:
 
 ret = 0

    ret = LogonUser("username", "testdomain", "1234", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, phToken)

    OutputDebugString ("LogonUser: testdomain return  = " & ret & " return code = " & Err.LastDllError)

    ret = 0

    ret = CreateProcessAsUser(phToken, 0&, "c:\windows\notepad.exe", 0&, 0&, False, CREATE_DEFAULT_ERROR_MODE, 0&, "c:\", si, pi)

    OutputDebugString ("CreateProcessAsUser: testdomain return  = " & ret & " return code = " & Err.LastDllError)
0
 
jkrCommented:
Try

ret = CreateProcessWithLogonW(StrConv("username" + Chr$(0), vbUnicode), StrConv("testdomain" + Chr$(0),    vbUnicode), StrConv("1234" + Chr$(0), vbUnicode), 0, 0&, StrConv("c:\windows\notepad.exe" + Chr$(0), vbUnicode), CREATE_DEFAULT_ERROR_MODE, 0&, StrConv("c:\" + Chr$(0), vbUnicode), si, pi)
0
 
eyalrasAuthor Commented:
well, this solution is good. THANKS A LOT
...and you own the points...

can you explain what Logon flag is 0




0
 
eyalrasAuthor Commented:
I want to accept your ansewr and im not sure this thread could get any more comments after it so please send your answer to Dovalle@lamda-sys.co.il

Thanks again
0
 
jkrCommented:
>>can you explain what Logon flag is 0

Because if you use 'LOGON_WITH_PROFILE', the client needs to contact the logon server to obtain the profile. If not, the cached credentials can be used.

BTW, you might find http://support.microsoft.com/default.aspx?scid=kb;en-us;285879 ("How To Start a Process as Another User from Visual Basic") useful for further reference.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 10
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now