I'm using the following code to impersonate a different user.
http://www.codeproject.com/KB/cs/zetaimpersonator.aspx
The problem is that I also need to call a local executable. When attempting to access the .exe I'm getting the error "Access Denied". I've tried adding the impersonated user to the file permissions but that didn't appear to work.
So my question, is there an easy way to break out of the impersonated user and come back in?
I'm open to other suggestions as well.
I had to add the impersonated user under the Admin group. I dont like it, but its fixed.
Related
Can I now get logged in user information when I'm on node-red-contrib?
And how to get it?
Example: I want to get logged in user in function.js node
No, because as I pointed out when you asked this earlier, flows execute even when there are no instances of the editor running (so there is nobody logged in).
Flows run in the backend, not in the browser, the browser is there purely to edit flows.
I am trying to create a application using innoscript. I need to create/edit registry information values in HKLM. Hence I need admin privileges to install the application.
However, if a non admin user try to install the application, innoscript require admin user password, once they enter the admin user password, whenever I query the registry in installation script (say, HKCU), it retrieves information from the admin user. But I would like to get information from the currently logged in user. As a result, program installed under the admin user location instead of current logon user account.
Is there a way to get current logon user user and user app data location from innoscript, when the application is started with Run as administrator or prompted admin user.
Awaiting your update.
Thanks,
The installer is not supposed to read or modify any per-user state (including HKCU) during a per-machine installation (and there is no way to do so reliably). You should instead make the application itself do this on first run (by trying to read the appropriate location and assuming default values if they were not found).
Remember, an application is installed once, but can then be run by several different users. This behaviour is essential.
An easy workaround is to move your logic to an executable instead of Pascal script. Then you can call this executable in [Run] section,
http://www.jrsoftware.org/ishelp/index.php?topic=runsection
Remember to mark the Run item as runasoriginaluser.
I have a website that uses Windows Authentication to authenticate its users. Normally when a user accesses the site on an IE browser the username field is populated with the computers domain name and user name. This is usually incorrect and the user enters the correct username and their password and can access the site.
I have a user now on Windows 7 IE8(I beleive) and the username field in the credential prompt is being autopopulated with domain\userName except the username is incorrect and we cannot change it. The user is unable to log into the site because of this. Has anyone experienced this before? Does anyone know why the username field cannot be changed? Solutions I have tried:
Clearing cache and stored form data/passwords etc
Site is in users trusted sites. So I had the user change the settings to "Prompt for username and password" but the prompt still comes up with the username autopopulated and does not let her change it.
I have never run into this before. Our users do not have any issue logging in, its just this one corporate location that was just set up and is running Windows 7(Rest of the company is under Windows XP) If it matters this is a sharepoint 2010 web application
Any help on this would be greatly appreciated as I have an entire group of users with this problem. Im willing to bet this would not be an issue in a different browser but they need to be able to use IE for application compatibility reasons.
Thanks!
I was able to fix it by doing the following:
Go to Start, Control Panel, User Accounts, then click Manage Your Credentials, and look for the credentials to your site, if they are there Modify and “Remove from vault” ( I suppose you could Edit them to the correct credentials but I just removed it and it did not prompt her).
She had the wrong credentials stored there. Im not sure why clearing the cache and passwords from the internet options didnt work but this did.
I had this problem with a user where the domain stored with the credentials could not be changed. This is the only item online I could find even close to my problem. The user saw "user-pcdomain\localusername" auto entered in the form. He tried to correct it with "workdomain\workusername" but got a message saying "Please enter a user name and password". Eventually we realized that his system was sending "user-pcdomain\workdomain" as his username. I've never seen a login misfire like that.
In his case he did not have his credentials stored but needed to add credentials - "workdomain\workusername" - for all of the domains he needed to access.
The point is - to expand on the answer - that IE or Windows 7 or both will store credentials incorrectly on rare occasions and the solution is be creative about adding\editing\remove credentials with Manage Your Credentials
I'm writing a module to force a user whose password has expired to renew its password. This app uses the acegi security plugin. After the expired credentials are detected, the user is redirected to a "insert a new password" page. However, when the form is submitted, the auth action is executed, instead of the desired one (renewPassword).
I suspect that this happens because the user is not logged in, so I was wondering if there exists a better approach for this.
For example, letting the user log in, but disabling its account until he/she refreshes his password.
Is this the right way to go? Can anyone share his/her experience ?
update
Come to think about it, as acegi is doing all the "check for expired credentials" work, I wont be able to log the user in and then change it, as I get an CredentialsExpiredException at authentication fail. So is there a way to do this?
Thanks in advance
I would suggest allowing the login, but setting a redirect flag in your code to push them to the password change page, so even if they try to change to another location in the site, it will push them back to the password change page. (I don't know how to code it in this language, as I've never used it, but it's how I would suggest to work around the seeming limitation)
finally solved it the "easy, not programmatic , conf. file" way.
In SecurityConfig.groovy I added an entry to the requestMapString
/login/renewpassword = IS_AUTHENTICATED_ANONYMOUSLY
This way, the renewpassword action inside the loginController can be executed without having the user logged in.
Thanks everyone for your time.
I'm calling the Advapi32.dll LsaEnumerateAccountRights function having a policy handle from LsaOpenPolicy and an account SID from LookupAccountName.
However, try as I might, I'm always getting back 0xC0000034 which after translation by LsaNtStatusToWinError gives me "The file referenced cannot be found."
Which isn't a whole lot of good. My code handles this and goes on to grant the account SID the SeServiceLogonRight using LsaAddAccountRights, so I know that the policy handle and the account SID are fine as that would bomb out if something was wrong with one of those.
The end result is that the account does have the right it needs so overall the code works.
However, I'm using this within an MSI custom action, the Install checks to see if the account has the right and if it doesn't (or it fails as above) it grants the right and remembers it has done it in the install state. If a rollback happens and it added the right it then removes it. We never remove in an uninstall as other applications may have been installed using the same domain account that the services we run use.
So the problem is when an MSI performs a rollback - it will always remove the right as it always thinks it has added it. So checking the rights using LsaEnumerateAccountRights is used for this - but I just can't get it to work.
Any idea - please note that I'm using c# with DllImport attribute to expose the Win32 functions, and I'm not the worlds best Win32 programmer having been Unix before C#!
I have been struggling with this, too, but have just cracked it...
Retrospectively, I now see there was a clue in the msdn documentation:
"The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership to a group."
See: link text
Get the policy handle from LsaOpenPolicy() and an account SID from LookupAccountName() exactly as you said.
If the username you entered was the name of a group ("Users", "Administrators", etc) then LsaEnumerateAccountRights() works fine and enumerates all the rights for the group.
If you call it on a username whose rights derive solely from the groups of which it is a member, then it returns 0xc0000034 (= Windows error 2 - The system cannot find the "file" specified), meaning (we now realise) "cannot find any individually assigned additional rights". It seems that the Windows Error 2 translation is a catch-all for "what you were looking for has not been found".
Now...
If you have ntrights.exe, run it... for example:
ntrights +r SeNetworkLogonRight -u MyUserName
Then, LsaEnumerateAccountRights() works fine, returns without error and enumerates a single right, "SeNetworkLogonRight".
I have recently run up against this same problem. In my testing with this issue it appears that the LookupAccountName call returns a security principal rather than the full SID. The actual failure seems to be that the section within the SID where the user rights would be is either not there or shortened to only the logon right.
Performing a LookupAccountName call on the current logged in user and then trying to LsaEnumerateAccountRights against that SID results in only the user logon right. Even though clearly, there are many other rights attached. Trying to retrieve any other users, other than the logged on user, successfully returns a SID. However, that SID will not have any user rights in it.
I have tested this on no domain workgroup systems and member systems of domains both as admin and regular users. The LookupAccountName call when successful, always results a SID that does not contain the full set of user rights.
I can only assume that if a complete SID could be obtained from the Security Database, then the LookupAccountName would properly iterate the rights.
I too have the exact same problem. Somebody suggested I get the SID via WMI with this query:
SELECT * FROM Win32_Account WHERE domain = 'ntdomain' AND name = 'username'
I tried it, using ConvertStringSidToSid() to get the magic blob LsaEnumerateAccountRights() expects and... same error. "The system cannot find the file specified."
I meet the same problem, it is because you dont assign spefic privledge to the user, so the user priveldge is empty, if you add one to it, it wont fail.
Call the same function with a group you can see everything working correctly.