I need to list all the privileges (and if they are enabled/disabled)
for a specific user.
I checked MSDN but I don't manage to make it work.
Can anyone help me out please ?
Maybe someone has an example (VB, C++, …) ?
Thanks,
Marc.
As far as debugging your problem goes,
you should narrow down the API that fails with Privilege-Not-Held.
Then, the documentation of that API should tell which privilege is required
to carry on the task.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
<marc.sch...@gb.be> wrote in message
news:1103874562.0...@z14g2000cwz.googlegroups.com...
Also make sure you check the platform SDK (offline and online) for code
examples.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Joe Richards [MVP] wrote:
--
677265676F727940346E6575726F6E732E636F6D
Marc's post is dated 2006 and does not have a references header.
So he just happened to use a title someone used in 2004. So what?
--
Frank Saunders, MS-MVP OE/WM
Reply in newsgroup
"They who would give up an essential liberty for temporary security, deserve
neither liberty or security"
> "Grzegorz Wróbel" </dev/nu...@localhost.localdomain> wrote in message
> news:e75iot$1lg$1...@nemesis.news.tpi.pl...
>
>> 1. He doesn't have any code snippet to show, he asked for it.
>> 2. This thread has been started in 2004, where did you dig out the
>> original message from?
>
>
>
> Marc's post is dated 2006 and does not have a references header.
> So he just happened to use a title someone used in 2004. So what?
>
I haven't found Marc's post on my newsserver at all, only your reply. Searching the google groups I found it with the date of december 2004 and it has exactly the same body as the one you have quoted. Also, according to google, he got 5 replies in 2004. Your reply is the 6th one and is the first one dated 2006.
--
677265676F727940346E6575726F6E732E636F6D
Anyway, in case it is still actual (I'm really not sure) I wrote similar procedure some time ago for debugging purposes:
It's ugly because it drawes messages directly to window DC (I was debugging winlogon screensaver!), but you can just replace wsprintf with printf and get rid of GDI function calls and variables:
void ShowPrivileges(HDC hDC)
{
OSVERSIONINFO osinfo;
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
TOKEN_PRIVILEGES* ptkp=NULL;
char mytext[256];
char name[256];
SIZE fontsize;
DWORD lenght;
int x = GetSystemMetrics(SM_CXFULLSCREEN);
osinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osinfo);
if(osinfo.dwPlatformId==VER_PLATFORM_WIN32_NT){
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
wsprintf(mytext,"OpenProcessToken() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,600,150,mytext,strlen(mytext));
return;
}
GetTokenInformation(hToken,TokenPrivileges,ptkp,0,&lenght);
ptkp = (TOKEN_PRIVILEGES*) new char[lenght];
if(GetTokenInformation(hToken,TokenPrivileges,ptkp,lenght,&lenght)==0){
wsprintf(mytext,"GetTokenInformation() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy,mytext,strlen(mytext));
}
else{
for(int i=0;i<ptkp->PrivilegeCount;i++){
lenght=256;
LookupPrivilegeName(NULL,&(ptkp->Privileges[i].Luid),name,&lenght);
wsprintf(mytext,"%s = %u",name,ptkp->Privileges[i].Attributes);
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy+i*fontsize.cy,mytext,strlen(mytext));
}
}
delete[] ptkp;
}
}
Each displayed privilege is held and depending on the value it is:
0 - privilege not enabled
2 - priviledge is enabled
3 - priviledge is enabled by default (1+2)
Also you can get rid of TOKEN_ADJUST_PRIVILEGES flag in call to OpenProcessToken() if you're not going to adjust any.
--
677265676F727940346E6575726F6E732E636F6D
"Frank Saunders, MS-MVP OE" <franks...@mvps.org> wrote in message
news:%23VB5mY5...@TK2MSFTNGP02.phx.gbl...
Possibly I should scan every bit of the header and then google for every
post I intend to respond to to make sure that it isn't an old post that
has come back so as not to annoy you.
Hmm nah, I respond to thousands of post and don't care all that much if
you get annoyed. I will have to depend on you to keep your chin up if I
happen to respond to something that the server shows as new that
actually isn't.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
2. It is listed on news.microsoft.com as brand new.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
--
677265676F727940346E6575726F6E732E636F6D
some dumb software, apparently on NNTP-Posting-Host: 86.20.171.138
has been copying a few ancient threads back to msnews recently.
Recently, in this case, being Date: Sun, 18 Jun 2006 04:05:22 GMT
interestingly, it also inserts this unusual header:
X-Received-Date: Wed, 22 Dec 2004 12:33:04 GMT (newsbetxt1-gui.ntli.net)
I can't figure out where you got that *2005* date, but I guess it really doesn't matter.
Bob
--
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm