AdjustTokenPrivilages 3

ADoozer · Sep 8, 2003

ok here goes!

im using code provided in thread222-601022

the return code from the AdjustTokenPrivilages is 1, how do i determine what the new privilages are.

i read its something to do with the NewState and PreviousState, but i dont know how to determine exactly what that means! (in other words its just a bunch of numbers to me!)

the only thing that changes is that:-

NewTokenStuff.Privilages(0).Attributes=2

does that mean i succesfully changed my Atributes???

any help appreciated!

thnx in advance!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

strongm · Sep 8, 2003

I'm not even going to begin telling you...;-)

ADoozer · Sep 9, 2003

? any particular reason ?

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

strongm · Sep 9, 2003

Erm...no, not really...I just know you normally like figuring stuff out yourself...

>how do i determine what the new privilages are

Well, in this example we're only trying to change 1 privilege, and we chose the privilege (SE_TCB_NAME), so if the call to AdjustTokenProperties is successful (indicated by a non-zero value, the 1 you get) we know that the privilege has been succesfully adjusted. If the call fails (0 gets returned) it hasn't. You nver have to worry about what is in OldTokenStuff or NewTokenStuff.

Of course, if we were trying to set multiple privileges it becomes more tricky. A non-zero value returned from the AdjustTokenProperties means that all the privileges we asked for have been changed as per our request. However, a 0 now merely means that one or more (possible all) of the privilege adjustments have failed.

Since OldTokenStuff holds an array of privileges that were changed by the adjustment, you might think that looping through that array would tell you where the problem was (OldTokenStuff.PrivilegeCount tells you how many items there are in the array, and then you can use LookupPrivilegeName using the LUID held in each array entry to see what the privilege was changed).

However, this isn't really sufficient because, as I mentioned "OldTokenStuff holds an array of privileges that were changed by the adjustment". In other words, if a token already holds the privilege of the value you want then clearly it won't get changed by AdjustTokenPrivilege and hence will not appear in the OldTokenStuff privileges array. There is, therefore, no way of discriminating between a genuine failed privilege adjustment and the situation where the privilege you requested is already there.

One solution to this would be to call GetTokenInformation for the token, which returns the same structure as is represented by OldTokenStuff and NewTokenStuff, but contains information on every privilege held by the token. You can then walk throug that list to see if the privilege you meant to adjust has been successfully adjusted.

It may also be worth pointing out that, since you probably don't know which LUID (the unique value representing a privilege) is which, you can always use LookupPrivilegeName and LookupPrivilegeDisplayName to get something more meaningful...

ADoozer · Sep 9, 2003

yeah your right i do like figuring stuff out but if you can remember back to when i got first on this subject (the link in the link) youll probably agree that ive run out of ideas!!

ok. so what you have said makes sense, and it would seem that th AdjustAccessToken function mentioned (in the link) is actually working.

unfortunately this puts me back to square one with the MakeMeImpersonate function (in the link) id convinced myself it was because i didnt have the right privilage!!!

well i guess id better go run through all the code again!

thnxs

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

ADoozer · Sep 9, 2003

hmm... ok so after posting i did go back and instantly something hit me!

in this line:-

If NOT result Then Err.Raise Err.LastDllError, "LogonUser", "AdjustToken: " & ApiErrorText(Err.LastDllError)

a return of 1 which apparently is a good return value raises an error!!!

so i changed this to

If result = 0 Then Err.Raise Err.LastDllError, "LogonUser", "AdjustToken: " & ApiErrorText(Err.LastDllError)

since our result was 1 (a good result) i figure this only fair.

so then i hit command1!!! and in the logonuser call the return code is 0 and the error raised is "A required privilege is not held by the client"

now according to MSDN

The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. If the calling process does not have this privilege, LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.

now on that note if we dont have SE_TCB_NAME privilages then surrely the AdjustTokenPrivilages failed!!!! (which with a return of 1 is confusing)

can u shed any more light????

thnx again

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

strongm · Sep 9, 2003

It is indeed fair.The code I wrote and dumped was a fast version, and your modification of the If staement is correct. However, if you then hit Command2 folowed by Command1 are you still getting the failure error?

strongm · Sep 9, 2003

Oops. Very, very badly phrased question. What I actually meant to say was can you confirm that it is definitely the LogonUser call that is failing, and not the ImpersonateLoggedOnUser when you hit Command2?

Further, are you running this on a domain controller?

strongm · Sep 9, 2003

And does user Ralph have the "Log On Locally" permission set?

ADoozer · Sep 10, 2003

1) yes i run command2 followed by command1 and this causes

2) logonuser(API) to return 0

3) i am logged on as administrator

4) ralph is just a regular user but is not restricted in any way

hope that answers all points.

thnx for the continued help!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

ADoozer · Sep 27, 2003

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------

http://www.climateprediction.net/index.php