Re: Setting SeSecurityPrivilege on IWbemServices in C++

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Alex (alexbalaev_at_yahoo.com)
Date: 04/08/04

• Next message: Philip Nunn [MSFT]: "Re: WMI Access Denied WIN32_UserAccount Class"
• Previous message: Kevin C: "Re: Accessing basic system information using WMI"
• In reply to: Ivan Brugiolo [MSFT]: "Re: Setting SeSecurityPrivilege on IWbemServices in C++"
• Messages sorted by: [ date ] [ thread ]

---

Date: 8 Apr 2004 08:09:44 -0700

Ivan,
Yes, this approach works: I can see all log files and on DC also.
Thanks much for your help!
Alex.

"Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message news:<uB1M#BMHEHA.1192@TK2MSFTNGP11.phx.gbl>...
> If you are local administrator of the Domain Controller, it should work.
> If you are local administrator in a machine that belongs to a domain,
> try usign eventvwr.exe and connecting to the event-log of the remote
> machine.
>
> To check priviliges quickly, you can use the `!token' command in
> cdb/ntsd/windbg.
> There are APIs (GetTokenInformation) that will do the job for you
> programmatically.
>
> To get a remoting scenario working correctly, you need to understand all the
> authentication hops.
> First of all, non-enabled privileges are stripped away across a LRPC
> communication (local authentication),
> but they are propagated and all-enabled in the OSF communication (across the
> network authentication).
> Then you have to understand how your remoting affects privilege propagation
> and Subject-Context token.
> For example, a DCOM communication with STATIC cloaking
> may fool your attempt to enable the SeSecurityPrivilege, because the
> identity was snapshot-ed before you enabled the privilege.
> Setting a token with an enabled privilege on a thread may not work if
> your architecture uses a separate worker thread that runs in the process
> context
> to talk with a remote machine.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm

---

• Next message: Philip Nunn [MSFT]: "Re: WMI Access Denied WIN32_UserAccount Class"
• Previous message: Kevin C: "Re: Accessing basic system information using WMI"
• In reply to: Ivan Brugiolo [MSFT]: "Re: Setting SeSecurityPrivilege on IWbemServices in C++"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Computer Management Security Problem ... user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership ... >> not for example the security log. ... >> accounts on the domain controller or are a member of a privileged group on the ... Note that XP Pro computers can have stored credentials. ... (microsoft.public.win2000.security) active directory connection? ... I have tried multiple accounts, ... When I log on as local administrator and ... This inability to authenticate might ... (microsoft.public.win2000.active_directory) logon problems ... I have tried multiple accounts, ... When I log on as local administrator and ... This inability to authenticate might ... (microsoft.public.windowsxp.security_admin) Re: Grant Object Access ... logon user rights. ... then looking in the security log to see if a failure Event ID for privilege ... > Schedule service correctly without making it a local administrator? ... (microsoft.public.windows.server.security) Can WINNT:// or Winnmgnts: read accounts from a domian controller? ... I use Torgeir Bakken's script to query only local administrator ... remote server is a domain controller, I get all domain user accounts out. ... > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ... (microsoft.public.scripting.vbscript)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.win32.programmer.wmi  > 2004-04