Re: Question about Permissions

From: William DePalo [MVP VC++] (willd.no.spam_at_mvps.org)
Date: 09/16/04 

Date: Thu, 16 Sep 2004 18:20:58 -0400

"Ron M. Newman" <ronmnewman@newman.com> wrote in message
news:uupig8CnEHA.2680@TK2MSFTNGP15.phx.gbl...
> - Suppose I am the administrator and I am running a certain process. Let's
> assume I have the userID and password of another user with lesser
> permissions. Is there any way to programmatically spawn a process or a
> thread that would have the permissions (file permissions) matching what
> that user would have if it were logged in?

Yes. CreateProcessWithLogon() is probably the most straightforward way.

Do you know that you can create a shortcut to an application and select the
"Run with different credentials" as well? When the shortcut is clicked, the
user is presented a dialog in which he can enter the credentials of the
target.

> - On the same level, can an NT Service create a thread or spaen a process
> that would have the permissions of a certain user it has the
> userID+password for?

Services live to do this. The topic in question is called "Client
Impersonation" and is quite broad. You might want to start reading here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgservices_security_3yer.asp

To cut to the chase look up LogonUser(), ImpersonateLoggedOnUser() and
RevertToSelf() for the details. Note that services don't necessarily need
their clients' passwords. If the client and service communicate via an
"impersonable" channel, the service can just tell the operating system to
impersonate the client as the operating system knows full well who is at the
other end. Check the docs for ImpersonateNamedPipeClient(),
DdeImpersonateClient() and RpcImpersonateClient(), for example, for more
information.

> and do that without log the current user out?

No. Services run with or without users logged on to the machine. What
changes is the service's security context, not the user's.

Regards,
Will

Relevant Pages

  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Windows 2003 x64 print server problems
    ... NTFS permissions on the Spool folder. ... Enable the guest account on the computer that is hosting the shared ... On the client computer, log on as the user and add the printer. ... Please uncheck "Automatically detect and install my Plug and Play ...
    (microsoft.public.windows.server.general)
  • Re: Unable to print to networked printer - get access denied messa
    ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
    (microsoft.public.windowsxp.print_fax)
  • RE: SBS Client Application Launcher error
    ... permissions with a new created user account. ... then using Filemon and Regmon utility to monitor the client workstation ... Please use the following steps to capture data with these utilities. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Adjusting security setting to run an embedded windows control in IE
    ... the client app need webPermission to connect ... back to the same server and request some data... ... I'm kinda lost in the woods with this permissions... ... >>> The reason it doesn't work in your situation is that when IE creates the>>> AppDomain that it runs your code in, that AppDomain is created based on>> the ...
    (microsoft.public.dotnet.security)
Loading