Advanced User Rights 
Author Message
 Advanced User Rights

I am looking for a way of accesssing the regisrty and other features that
are not available to a normal user. As this is a private app to be used upon
our local machines, i know the Domain Admin password and local Admin
passwords. NT has a SU utility, but i can't get this to work. It would be
good if someone could show an example of how to raise someone's permsiision,
but only for the period of the app. If anyone can help, it would be
appreciated.

Regards,
Shane



Thu, 25 Dec 2003 14:27:50 GMT  
 Advanced User Rights
it's easy with windows 2k, it has an api which can do it. if you are running
winnt, you will need an user with the setcbprivilege enabled who calls the
logonuser and the createprocessasuser apis which will do exactly what you
want. if you like to raise the permissions of your own app, call
impersonateloggedonuser and pass the token you received from your call to
logonuser.
however, don't grant the setcbprivilege to ordinary users as it is a very
powerful privilege.
and don't crosspost. i doubt this problem has something to do with
microsoft.public.vb.winapi.networks.

cheers,

-- michael



Quote:
> I am looking for a way of accesssing the regisrty and other features that
> are not available to a normal user. As this is a private app to be used
upon
> our local machines, i know the Domain Admin password and local Admin
> passwords. NT has a SU utility, but i can't get this to work. It would be
> good if someone could show an example of how to raise someone's
permsiision,
> but only for the period of the app. If anyone can help, it would be
> appreciated.

> Regards,
> Shane



Thu, 25 Dec 2003 18:40:29 GMT  
 Advanced User Rights
Thanks for your reply. I am using NT 4.0. I need to run several things to
make changes to the registry and stop, restart services. As a normal user
can't do this I need to up the permissions. In our login script I would call
this and pass the commands I need (reg files, commands, etc). If you could
help further, it would be appreciated.

Regards,
Shane


Quote:
> it's easy with windows 2k, it has an api which can do it. if you are
running
> winnt, you will need an user with the setcbprivilege enabled who calls the
> logonuser and the createprocessasuser apis which will do exactly what you
> want. if you like to raise the permissions of your own app, call
> impersonateloggedonuser and pass the token you received from your call to
> logonuser.
> however, don't grant the setcbprivilege to ordinary users as it is a very
> powerful privilege.
> and don't crosspost. i doubt this problem has something to do with
> microsoft.public.vb.winapi.networks.

> cheers,

> -- michael



> > I am looking for a way of accesssing the regisrty and other features
that
> > are not available to a normal user. As this is a private app to be used
> upon
> > our local machines, i know the Domain Admin password and local Admin
> > passwords. NT has a SU utility, but i can't get this to work. It would
be
> > good if someone could show an example of how to raise someone's
> permsiision,
> > but only for the period of the app. If anyone can help, it would be
> > appreciated.

> > Regards,
> > Shane



Thu, 25 Dec 2003 19:14:34 GMT  
 Advanced User Rights
well ... basically you call the LogonUser api and pass username and
password -- if the login succeeded, you will get back a handle which you can
pass to the ImpersonateLoggedOnUser api. from this moment on, your
application will have the privileges of the other user and so will all the
other applications your program starts. if your app finished its tasks, you
call the RevertToSelf api to lower your privileges again. to do this, every
user will need to have the SeTCBPrivilege.
that's why i would take another approach. write a service using microsoft's
service control (ntsvc.ocx) which runs all the time (services usually have
administrative privileges). whenever a user logs on, notify the service
(send a message, etc.) which will then perform the required operations. that
way, there is no security risk by granting users quite powerful privileges.

cheers,

-- michael



Quote:
> Thanks for your reply. I am using NT 4.0. I need to run several things to
> make changes to the registry and stop, restart services. As a normal user
> can't do this I need to up the permissions. In our login script I would
call
> this and pass the commands I need (reg files, commands, etc). If you could
> help further, it would be appreciated.

> Regards,
> Shane



Thu, 25 Dec 2003 19:23:43 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. Advanced User Rights

2. Advanced User Rights

3. W2K Impersonating user Security Policis/User Rights Assignment

4. Subform editing with code (Advanced users)

5. user groups and advanced find

6. An advanced users help is required!!

7. small question for advanced users

8. ADVANCED USERS! (HELP

9. Advanced users! (Help needed)

10. New Registry tip for advanced users

11. A please for help from the most advanced VB users

12. Advanced Visual Basic Users

 

 
Powered by phpBB® Forum Software