How to detect user logon rights on win2k/xp?

Tim

Distinguished
Mar 31, 2004
1,833
0
19,780
Archived from groups: microsoft.public.win2000.security (More info?)

These are rights defined in NTSecAPI.h as the following:

#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
#define SE_DENY_INTERACTIVE_LOGON_NAME
TEXT("SeDenyInteractiveLogonRight")
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
#define SE_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeRemoteInteractiveLogonRight")
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeDenyRemoteInteractiveLogonRight")

Please advise - I stayed up the whole night and couldn't find any solutions
other than enumerating all its parent group tree!

Thanks!

Tim
 
Archived from groups: microsoft.public.win2000.security (More info?)

"Tim" <tzhong@hotmail.com> wrote in message
news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
> These are rights defined in NTSecAPI.h as the following:
>
> #define SE_INTERACTIVE_LOGON_NAME
TEXT("SeInteractiveLogonRight")
> #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
> #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
> #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
> #define SE_DENY_INTERACTIVE_LOGON_NAME
> TEXT("SeDenyInteractiveLogonRight")
> #define SE_DENY_NETWORK_LOGON_NAME
TEXT("SeDenyNetworkLogonRight")
> #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
> #define SE_DENY_SERVICE_LOGON_NAME
TEXT("SeDenyServiceLogonRight")
> #define SE_REMOTE_INTERACTIVE_LOGON_NAME
> TEXT("SeRemoteInteractiveLogonRight")
> #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
> TEXT("SeDenyRemoteInteractiveLogonRight")
>
> Please advise - I stayed up the whole night and couldn't find any
solutions
> other than enumerating all its parent group tree!

It is not clear what you wish to do, but you will
like receive more (and better) answers on one of the
programming groups since it does seem you are trying
to write an application in C.

FYI: If you are trying to see what rights a particular
user has you might wish to check that user's security
access token.

--
Herb Martin


>
> Thanks!
>
> Tim
>
>
 
Archived from groups: microsoft.public.win2000.security (More info?)

Herb,

Thanks for your quick response. sorry I didn't make it very clear, and here
it's what I am trying to achieve:

On win2k each user has his own "local security policy" settings, and among
them there are several "logon rights", such as "log on as a service", "log
on locally", etc. Adding or removing such a privilege can be easily done by
calling functions like "LsaAdd/RemoveAccountRights()". These privileges have
names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.

There is also a function called "LsaEnumerateAccountRights()" - it, however,
only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
return those rights inherited from the groups the user belongs to. So my
question is, is there any simple way to find out all privileges, directly
owned or inherited, without iterating through all parent (and grandparent)
groups?

Thanks again!

Tie
"Herb Martin" <news@LearnQuick.com> wrote in message
news:euEhs8L$EHA.2076@TK2MSFTNGP15.phx.gbl...
> "Tim" <tzhong@hotmail.com> wrote in message
> news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
>> These are rights defined in NTSecAPI.h as the following:
>>
>> #define SE_INTERACTIVE_LOGON_NAME
> TEXT("SeInteractiveLogonRight")
>> #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
>> #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
>> #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
>> #define SE_DENY_INTERACTIVE_LOGON_NAME
>> TEXT("SeDenyInteractiveLogonRight")
>> #define SE_DENY_NETWORK_LOGON_NAME
> TEXT("SeDenyNetworkLogonRight")
>> #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
>> #define SE_DENY_SERVICE_LOGON_NAME
> TEXT("SeDenyServiceLogonRight")
>> #define SE_REMOTE_INTERACTIVE_LOGON_NAME
>> TEXT("SeRemoteInteractiveLogonRight")
>> #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
>> TEXT("SeDenyRemoteInteractiveLogonRight")
>>
>> Please advise - I stayed up the whole night and couldn't find any
> solutions
>> other than enumerating all its parent group tree!
>
> It is not clear what you wish to do, but you will
> like receive more (and better) answers on one of the
> programming groups since it does seem you are trying
> to write an application in C.
>
> FYI: If you are trying to see what rights a particular
> user has you might wish to check that user's security
> access token.
>
> --
> Herb Martin
>
>
>>
>> Thanks!
>>
>> Tim
>>
>>
>
>
 
Archived from groups: microsoft.public.win2000.security (More info?)

"Tim" <tzhong@hotmail.com> wrote in message
news:#MQSpHN$EHA.2112@TK2MSFTNGP14.phx.gbl...
> Herb,
>
> Thanks for your quick response. sorry I didn't make it very clear, and
here
> it's what I am trying to achieve:
>
> On win2k each user has his own "local security policy" settings, and among
> them there are several "logon rights", such as "log on as a service", "log
> on locally", etc. Adding or removing such a privilege can be easily done
by
> calling functions like "LsaAdd/RemoveAccountRights()". These privileges
have
> names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.

Yes, those rights calculated at logon and returned (from the DC
etc.) as part of the Security Access Token which is why I
suggested investigating that.

> There is also a function called "LsaEnumerateAccountRights()" - it,
however,
> only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
> return those rights inherited from the groups the user belongs to.

The Security Access Token must have all of them.
(except for possibly Special Groups like Everyone.)

> So my
> question is, is there any simple way to find out all privileges, directly
> owned or inherited, without iterating through all parent (and grandparent)
> groups?

Without having the user logged on?

No. It is calculated at each User logon when the list of
SIDs (personal and groups) are accumulated (again this
is used to create the Security Access Token.)


--
Herb Martin


"Tim" <tzhong@hotmail.com> wrote in message
news:#MQSpHN$EHA.2112@TK2MSFTNGP14.phx.gbl...
> Herb,
>
> Thanks for your quick response. sorry I didn't make it very clear, and
here
> it's what I am trying to achieve:
>
> On win2k each user has his own "local security policy" settings, and among
> them there are several "logon rights", such as "log on as a service", "log
> on locally", etc. Adding or removing such a privilege can be easily done
by
> calling functions like "LsaAdd/RemoveAccountRights()". These privileges
have
> names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.
>
> There is also a function called "LsaEnumerateAccountRights()" - it,
however,
> only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
> return those rights inherited from the groups the user belongs to. So my
> question is, is there any simple way to find out all privileges, directly
> owned or inherited, without iterating through all parent (and grandparent)
> groups?
>
> Thanks again!
>
> Tie
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:euEhs8L$EHA.2076@TK2MSFTNGP15.phx.gbl...
> > "Tim" <tzhong@hotmail.com> wrote in message
> > news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
> >> These are rights defined in NTSecAPI.h as the following:
> >>
> >> #define SE_INTERACTIVE_LOGON_NAME
> > TEXT("SeInteractiveLogonRight")
> >> #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
> >> #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
> >> #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
> >> #define SE_DENY_INTERACTIVE_LOGON_NAME
> >> TEXT("SeDenyInteractiveLogonRight")
> >> #define SE_DENY_NETWORK_LOGON_NAME
> > TEXT("SeDenyNetworkLogonRight")
> >> #define SE_DENY_BATCH_LOGON_NAME
TEXT("SeDenyBatchLogonRight")
> >> #define SE_DENY_SERVICE_LOGON_NAME
> > TEXT("SeDenyServiceLogonRight")
> >> #define SE_REMOTE_INTERACTIVE_LOGON_NAME
> >> TEXT("SeRemoteInteractiveLogonRight")
> >> #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
> >> TEXT("SeDenyRemoteInteractiveLogonRight")
> >>
> >> Please advise - I stayed up the whole night and couldn't find any
> > solutions
> >> other than enumerating all its parent group tree!
> >
> > It is not clear what you wish to do, but you will
> > like receive more (and better) answers on one of the
> > programming groups since it does seem you are trying
> > to write an application in C.
> >
> > FYI: If you are trying to see what rights a particular
> > user has you might wish to check that user's security
> > access token.
> >
> > --
> > Herb Martin
> >
> >
> >>
> >> Thanks!
> >>
> >> Tim
> >>
> >>
> >
> >
>
>