How to detect user logon rights on win2k/xp?

  • Thread starter Thread starter Tim
  • Start date Start date
T

Tim

These are rights defined in NTSecAPI.h as the following:

#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
#define SE_DENY_INTERACTIVE_LOGON_NAME
TEXT("SeDenyInteractiveLogonRight")
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
#define SE_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeRemoteInteractiveLogonRight")
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeDenyRemoteInteractiveLogonRight")

Please advise - I stayed up the whole night and couldn't find any solutions
other than enumerating all its parent group tree!

Thanks!

Tim
 
Tim said:
These are rights defined in NTSecAPI.h as the following:

#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
#define SE_DENY_INTERACTIVE_LOGON_NAME
TEXT("SeDenyInteractiveLogonRight")
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
#define SE_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeRemoteInteractiveLogonRight")
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeDenyRemoteInteractiveLogonRight")

Please advise - I stayed up the whole night and couldn't find any solutions
other than enumerating all its parent group tree!
Click to expand...

It is not clear what you wish to do, but you will
like receive more (and better) answers on one of the
programming groups since it does seem you are trying
to write an application in C.

FYI: If you are trying to see what rights a particular
user has you might wish to check that user's security
access token.
 
Herb,

Thanks for your quick response. sorry I didn't make it very clear, and here
it's what I am trying to achieve:

On win2k each user has his own "local security policy" settings, and among
them there are several "logon rights", such as "log on as a service", "log
on locally", etc. Adding or removing such a privilege can be easily done by
calling functions like "LsaAdd/RemoveAccountRights()". These privileges have
names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.

There is also a function called "LsaEnumerateAccountRights()" - it, however,
only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
return those rights inherited from the groups the user belongs to. So my
question is, is there any simple way to find out all privileges, directly
owned or inherited, without iterating through all parent (and grandparent)
groups?

Thanks again!

Tie
 
Tim said:
Herb,

Thanks for your quick response. sorry I didn't make it very clear, and here
it's what I am trying to achieve:

On win2k each user has his own "local security policy" settings, and among
them there are several "logon rights", such as "log on as a service", "log
on locally", etc. Adding or removing such a privilege can be easily done by
calling functions like "LsaAdd/RemoveAccountRights()". These privileges have
names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.
Click to expand...

Yes, those rights calculated at logon and returned (from the DC
etc.) as part of the Security Access Token which is why I
suggested investigating that.
There is also a function called "LsaEnumerateAccountRights()" - it, however,
only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
return those rights inherited from the groups the user belongs to.
Click to expand...

The Security Access Token must have all of them.
(except for possibly Special Groups like Everyone.)
So my
question is, is there any simple way to find out all privileges, directly
owned or inherited, without iterating through all parent (and grandparent)
groups?
Click to expand...

Without having the user logged on?

No. It is calculated at each User logon when the list of
SIDs (personal and groups) are accumulated (again this
is used to create the Security Access Token.)
 
So, finally how did you get the effective rights??? I m facing the same problem. Can someone elaborate more on security access tokens????
 
Back
Top