Re: Question about Permissions

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ron M. Newman (ronmnewman_at_newman.com)
Date: 09/16/04 

Date: Thu, 16 Sep 2004 18:44:54 -0400

William DePalo [MVP VC++] wrote:
> "Ron M. Newman" <ronmnewman@newman.com> wrote in message
> news:uupig8CnEHA.2680@TK2MSFTNGP15.phx.gbl...
>
>>- Suppose I am the administrator and I am running a certain process. Let's
>>assume I have the userID and password of another user with lesser
>>permissions. Is there any way to programmatically spawn a process or a
>>thread that would have the permissions (file permissions) matching what
>>that user would have if it were logged in?
>
>
> Yes. CreateProcessWithLogon() is probably the most straightforward way.
>
> Do you know that you can create a shortcut to an application and select the
> "Run with different credentials" as well? When the shortcut is clicked, the
> user is presented a dialog in which he can enter the credentials of the
> target.
>
>
>>- On the same level, can an NT Service create a thread or spaen a process
>>that would have the permissions of a certain user it has the
>>userID+password for?
>
>
> Services live to do this. The topic in question is called "Client
> Impersonation" and is quite broad. You might want to start reading here:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgservices_security_3yer.asp
>
> To cut to the chase look up LogonUser(), ImpersonateLoggedOnUser() and
> RevertToSelf() for the details. Note that services don't necessarily need
> their clients' passwords. If the client and service communicate via an
> "impersonable" channel, the service can just tell the operating system to
> impersonate the client as the operating system knows full well who is at the
> other end. Check the docs for ImpersonateNamedPipeClient(),
> DdeImpersonateClient() and RpcImpersonateClient(), for example, for more
> information.
>
>
>>and do that without log the current user out?
>
>
> No. Services run with or without users logged on to the machine. What
> changes is the service's security context, not the user's.
>
> Regards,
> Will
>
>

Thank you! I appreciate your elaborate response. It's very helpful !
  Ron

Relevant Pages

  • Re: Question about Permissions
    ... its' great that you can spawn processes with a login ... >>thread that would have the permissions matching what ... The topic in question is called "Client ...
    (microsoft.public.win32.programmer.kernel)
  • RE: Windows 2003 x64 print server problems
    ... NTFS permissions on the Spool folder. ... Enable the guest account on the computer that is hosting the shared ... On the client computer, log on as the user and add the printer. ... Please uncheck "Automatically detect and install my Plug and Play ...
    (microsoft.public.windows.server.general)
  • Re: Unable to print to networked printer - get access denied messa
    ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
    (microsoft.public.windowsxp.print_fax)
  • RE: SBS Client Application Launcher error
    ... permissions with a new created user account. ... then using Filemon and Regmon utility to monitor the client workstation ... Please use the following steps to capture data with these utilities. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Adjusting security setting to run an embedded windows control in IE
    ... the client app need webPermission to connect ... back to the same server and request some data... ... I'm kinda lost in the woods with this permissions... ... >>> The reason it doesn't work in your situation is that when IE creates the>>> AppDomain that it runs your code in, that AppDomain is created based on>> the ...
    (microsoft.public.dotnet.security)