Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to ImpersonateLoggedOnUser on Windows NT/2000?

0 views
Skip to first unread message

Gary Herron

unread,
Jun 25, 2002, 1:34:35 PM6/25/02
to
Hi,

I'm trying to write a script for both Windows NT/2000 and Linux which
needs to perform actions on the behalf of several different users.

On Linux I use "os.seteuid" and friends and all is fine.

On NT the comparable thing seems to be LogonUser,
ImpersonateLoggedOnUser, and RevertToSelf. However for these calls to
be successful, one needs various privileges, such as SE_TCB_NAME, and
SE_CHANGE_NOTIFY_NAME..

At this point I start getting lost, so I hope someone who has been
through this can help me. How can a Python program running as local
administrator on Windows NT/2000 set those privileges, and then once
set, how does one actually *do* the impersonation?

Thank you,
Dr. Gary Herron


David LeBlanc

unread,
Jun 25, 2002, 5:22:00 PM6/25/02
to

After a quick look at MSDN, it looks like it goes like this on Win2000
Pro(psuedo C code):
1. Use Start | Programs | Administrative tools | Computer Management to add
a user.
2. Use Start | Programs | Administrative tools | Local Security Policy to
add the user to the desired access control list (which is backwards from the
way NT did it - you added priviledges to users).
3. This code:
PHandle userHandle;
LogonUser(user, domain, password, LOGON32_LOGON_BATCH,
LOGON32_PROVIDER_DEFAULT, userHandle);
// LOGON32_LOGON_BATCH can also be LOGON32_LOGON_INTERACTIVE
ImpersonateLoggedOnUser(userHandle);
// do whatever
RevertToSelf(); // or just exit to revert to self.

Presumably you've seen the discussion of this in the Python Win32 extensions
help?

After a bunch more reading in MSDN, it looks like the simplest way to have a
user with sufficient priveledges is to use the GUI tools to create such a
user and then impersonate it. I suspect the programmatic way is to create
Access Control Lists and Security Descriptors - and MSDN doesn't connect the
dots for doing that. "Sufficient Priviledges" include both the user's
permissions and the permissions of the object the user is trying to
manipulate.

You might find this of interest: http://www.codeguru.com/system/Logon.shtml

I wish I could be more help - a way to do this 100% programmatically
interests me too.

Dave LeBlanc
Seattle, WA USA

0 new messages