LSA Functions - Privileges and Impersonation

Corinna John

Rate me:

4.46/5 (31 votes)

27 Aug 2003CPOL2 min read

Managing privileges and impersonating users

Download source - 12.6 Kb

Introduction

Sometimes you want your application to do things which the user himself may never do. For example, your application has to read a public folder on an exchange server, but the folder is hidden from the active user for good reasons. Now you need LSA functions, to manage privileges and impersonate another user. This article explains how to import the LSA functions, add rights to accounts and impersonate different users.

SIDs, Policies and Rights

Whenever you alter the privileges of an account, you need its Security Identifier (SID). You can find any account using LookupAccountName.

Copy Code

[DllImport( "advapi32.dll", CharSet=CharSet.Auto, 
    SetLastError=true, PreserveSig=true)]
private static extern bool LookupAccountName( 
    string lpSystemName, string lpAccountName, 
    IntPtr psid, ref int cbsid, 
    StringBuilder domainName, ref int cbdomainLength, 
    ref int use );

Before adding or removing any privileges, we need a policy handle. LsaOpenPolicy opens a handle:

Copy Code

[DllImport("advapi32.dll", PreserveSig=true)]
private static extern UInt32 LsaOpenPolicy(
    ref LSA_UNICODE_STRING SystemName,
    ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
    Int32 DesiredAccess,
    out IntPtr PolicyHandle );

Using the SID and the policy handle, LsaAddAccountRights can add privileges:

Copy Code

[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
private static extern long LsaAddAccountRights(
    IntPtr PolicyHandle, IntPtr AccountSid, 
    LSA_UNICODE_STRING[] UserRights,
    long CountOfRights );

The LSA functions work with Unicode strings, so we have to use the LSA_UNICODE_STRING structure. This structure contains a buffer for the string, an two integers for the length of the buffer and the length of the actual string in the buffer:

Copy Code

[StructLayout(LayoutKind.Sequential)]
private struct LSA_UNICODE_STRING 
{ 
  public UInt16 Length; 
  public UInt16 MaximumLength; 
  public IntPtr Buffer; 
}

Now it's time to call these functions. First, find the desired account and retrieve the SID.

Copy Code

//pointer an size for the SID
IntPtr sid = IntPtr.Zero;
int sidSize = 0; 

//StringBuilder and size for the domain name
StringBuilder domainName = new StringBuilder();
int nameSize = 0;

//account-type variable for lookup
int accountType = 0; 

//get required buffer size
LookupAccountName(String.Empty, accountName, sid, ref sidSize, 
    domainName, ref nameSize, ref accountType); 

//allocate buffers
domainName = new StringBuilder(nameSize);
sid = Marshal.AllocHGlobal(sidSize);

//lookup the SID for the account
bool result = LookupAccountName(String.Empty, accountName, sid, 
    ref sidSize, domainName, ref nameSize, ref accountType);

And secondly, open a policy handle.

Copy Code

//initialize an empty unicode-string
LSA_UNICODE_STRING systemName = new LSA_UNICODE_STRING(); 

//initialize a pointer for the policy handle
IntPtr policyHandle = IntPtr.Zero; 

//these attributes are not used, but LsaOpenPolicy 
//wants them to exists
LSA_OBJECT_ATTRIBUTES ObjectAttributes = new LSA_OBJECT_ATTRIBUTES();

//get a policy handle
uint resultPolicy = LsaOpenPolicy(ref systemName, ref ObjectAttributes, 
    access, out policyHandle);

And finally we are ready to add privileges.

Copy Code

//initialize an unicode-string for the privilege name
LSA_UNICODE_STRING[] userRights = new LSA_UNICODE_STRING[1]; 
userRights[0] = new LSA_UNICODE_STRING(); 
userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName); 
userRights[0].Length = (UInt16)( privilegeName.Length * 
    UnicodeEncoding.CharSize ); 
userRights[0].MaximumLength = (UInt16)( (privilegeName.Length+1) * 
    UnicodeEncoding.CharSize );

//add the privilege to the account 
long res = LsaAddAccountRights(policyHandle, sid, userRights, 1);
winErrorCode = LsaNtStatusToWinError(res); 
if(winErrorCode != 0)
{ 
    Console.WriteLine("LsaAddAccountRights failed: "+ winErrorCode); 
} 
//close all handles 
LsaClose(policyHandle); 
FreeSid(sid);

More LSA

Now we can manage user's privileges - but how about being another user? LSA includes a set of functions to impersonate any user. This means, performing an invisible logon an switch between our own identity and the new one.

For example, if you're writing a service and you don't get along with network access of the local service authority, you can define a special domain account for your service and impersonate it at runtime. LogonUser is the function to authenticate a user against a domain:

Copy Code

[DllImport("advapi32.dll")]
private static extern bool LogonUser( 
    String lpszUsername, 
    String lpszDomain, 
    String lpszPassword, 
    int dwLogonType, 
    int dwLogonProvider, 
    ref IntPtr phToken );

LogonUser verifies the logon parameters an creates a security token. Whenever a user logs onto a workstation, a security token is created. All applications launched by this user hold a copy of this token. He have to copy our new token using DuplicateToken.

Copy Code

[DllImport("advapi32.dll")]
private static extern bool DuplicateToken( 
    IntPtr ExistingTokenHandle, 
    int ImpersonationLevel, 
    ref IntPtr DuplicateTokenHandle );

Now we got a copy of the security token, we can create a WindowsIdentity and impersonate the user. The .NET framework contains classes for impersonating users, once we got the right token.

Copy Code

using System.Security.Principal;
//...
WindowsIdentity newId = new WindowsIdentity(duplicateTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();

Of course we have to free the handles at last.

Copy Code

if (existingTokenHandle != IntPtr.Zero)
{ 
    CloseHandle(existingTokenHandle); 
} 
if (duplicateTokenHandle != IntPtr.Zero)
{ 
    CloseHandle(duplicateTokenHandle); 
}

When we have finished the special tasks, we can switch back to our normal identity

Copy Code

impersonatedUser.Undo();

Using the code

In the LogonDemo project there are LsaUtility.cs and LogonUtility.cs. LsaUtility.cs imports the functions necessary for managing privileges and contains the static method

Copy Code

SetRight (String 
accountName, String privilegeName)

. It adds a named privilege to an account. LogonUtility.cs contains everything you need to impersonate a user.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Corinna John

	Software Developer
	Germany

Corinna lives in Hanover/Germany and works as a C# developer.

Comments and Discussions

Small memory leak

MrMikeJJ7-Sep-16 2:30

MrMikeJJ

7-Sep-16 2:30

Nice article, thank you for this, made changing LSA privileges from C# much easier.

I do believe there is a small memory leak in this code though.

The memory allocated here is never freed:

Copy Code

userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName);

To resolve this i added this near the top of the SetRight function:

Copy Code

IntPtr privilege_buffer = IntPtr.Zero;

Then changed that line to :

Copy Code

privilege_buffer = Marshal.StringToHGlobalUni(privilege);
userRights[0].Buffer = privilege_buffer;

then at the end

Copy Code

if (privilege_buffer != IntPtr.Zero)
	Marshal.FreeHGlobal(privilege_buffer);

thanks
MrMikeJJ

Immediate effect

FredWah30-Dec-15 9:23

FredWah

30-Dec-15 9:23

There's an article c# - LsaAddAccountRights() only works once per boot - Stack Overflow

and it mentions that you can make LsaAddAccountright by disabling a cache. I haven't been successful in doing so. How do you do this?

Problems when running this code on Microsoft Server 2012

Uittenhove18-May-15 22:10

Uittenhove

18-May-15 22:10

When I try to add a user to a local policy (SeServiceLogonRight) via the command LsaAddAccountRights I get an odd number as return value. This number isn't translated via LsaNtStatusToWinError function, it returns the same number. The number is something like 1034061105409818720. Every time I run the code again, I obtain a different number.

The code I use is the code from the sample.

The code runs nicely on a Win2008R2 but gives problems on Win2012.

Re: Problems when running this code on Microsoft Server 2012

Uittenhove21-May-15 2:18

Uittenhove

21-May-15 2:18

The initial statement used was:
Private Shared Function LsaAddAccountRights(PolicyHandle As IntPtr, AccountSid As IntPtr, UserRights As LSA_UNICODE_STRING(), CountOfRights As Long) As long
End Function

The solution was changing the result type into UInt32.

How to use it in windows 8.1

er.prakash.bhatta28-Oct-14 22:14

er.prakash.bhatta

28-Oct-14 22:14

I could not run the solution in windows 8.1. could you suggest me any better solution.

Prakash Bhatta

Massively Helpful

golyaht2-Aug-13 10:56

golyaht

2-Aug-13 10:56

I've been looking for a way to do impersonation to test a SQL login via Windows Auth, but without running my winforms as said user.

Use case was primarily to test a service account before rolling it out into production.

Following this article gave me exactly what I was looking for, and now my application behaves perfectly.

Thanks for the great article! Smile | :)

Chceck "SeServiceLogonRight already" exist or not for user?

ankyshah26-Jan-11 20:06

ankyshah

26-Jan-11 20:06

Hi Corinna John,

Very nice article and it is very helpful. I have one question that, if log on user have already "SeServiceLogonRight" rights then I want to check that if rights already exist then do not add the rights for that user else add the rights. How can I achieve this?? Your help can save my lots of time.. Please reply...

Thanks Ankit.

Nice article, even if there are some errors.

iq-man29-Nov-09 22:09

iq-man

29-Nov-09 22:09

Hi
This is a nice article. It contains a lot of great information and makes it much easier and faster to get a working sample to grant privileges to a user. Specifically I needed to grant the "logon as a service" privilege.

It does contain a few errors though. As the previous user comment says, there are errors in the marshalling. I have corrected this in the code I am using, and have not experienced any problems.

Best regards
Martin

modified on Monday, November 30, 2009 4:27 AM

Re: Nice article, even if there are some errors.

alexdresko23-Dec-09 8:37

alexdresko

23-Dec-09 8:37

How about posting the fixed code, dude?

I'm not a player, I just code a lot!
Alex Dresko

Re: Nice article, even if there are some errors.

iq-man26-Dec-09 2:11

iq-man

26-Dec-09 2:11

Hi
The errors I was refering to are those pointed out by the user making the previous comment (Jecho Jekov).
The fixes I use are nothing else but using the correct P/Invoke signatures he wrote. I checked the remaining P/Invoke signatures, and found no errors. So there really is no "fixed code" to post which has not already been posted in the comment made by Jecho Jekov.

Regards
Martin

Re: Nice article, even if there are some errors.

alexdresko26-Dec-09 7:21

alexdresko

26-Dec-09 7:21

Well that makes me feel better. I was able to get the fixed code working that someone else posted. Of course, based on the comments within, it seems like they "fixed" it, and then put it back the way it was originally because it wasn't broken in the first place. Smile | :)

I'm not a player, I just code a lot!
Alex Dresko

A bit messy...

Jecho Jekov12-Jun-09 9:35

Jecho Jekov

12-Jun-09 9:35

Hi Corina,

Very nice article. However, you should know that "LONG" in C++ is equivalent to "int" in C#. There are several places in your code where you use "long" instead of "int". This may cause random errors during the execution of the code and is the cause for most of the errors posted by other users.

More specifically you should change the following in the LsaUtility class (I have not looked at the other classes):

Copy Code

private static extern int LsaAddAccountRights(
	IntPtr PolicyHandle,
	IntPtr AccountSid,
	LSA_UNICODE_STRING[] UserRights,
	int CountOfRights);

Copy Code

private static extern int LsaClose(IntPtr ObjectHandle);

Copy Code

private static extern int LsaNtStatusToWinError(int status);

Regards,
Jecho

Re: A bit messy...

Mark Richards27-Mar-12 5:24

Mark Richards

27-Mar-12 5:24

Hmmm, I'm not so sure about your adjustment to LsaAddAccountRights().

MSDN defines the last parameter of this function as receiving an unsigned long, which for C# I would expect to translate to a uint data type.

I agree, however, with the changes to LsaClose and LsaNtStatusToWinError, both of which use NTSTAUS (an unsigned long, translating to a C# int).

- Mark R.

Re: A bit messy...

aravind.sr712-Feb-18 21:44

aravind.sr7

12-Feb-18 21:44

I have faced the issue what Jecho mentioned. When this code is called from a WIX custom action, LsaAddAccountRights returns some random number. To solve it, the return type was changed to UInt32.

Error adding "Logon As Service" right to User Account

sullivrp2-Jun-09 7:00

sullivrp

2-Jun-09 7:00

Corrina,

Great article, it has helped me out a lot, now if I could just resolve my current error, it would help even more!

My journey started with http://weblogs.asp.net/avnerk/archive/2007/05/08/setting-windows-service-account-c-and-wmi.aspx and I later ran across this follow-up posting http://weblogs.asp.net/avnerk/archive/2007/05/10/granting-user-rights-in-c.aspx which led me to http://www.hightechtalks.com/csharp/lsa-functions-276626.html.

I did some more searching and ran across http://blog.deploymentengineering.com/2008/09/different-year-same-problem.html which pointed me to your article. I then started cleaning up the example that was available and have ran into my current problem "1734 (The array bounds are invalid.)" when calling LsaAddAccountRights() to add "Log On As A Service" right to a user account.

During my various searches, I found the following link which lists available logon user rights http://support.microsoft.com/?id=279664 and http://support.microsoft.com/default.aspx?scid=kb;en-us;132958 provides additional information abour managing user privileges programmatically.

I have followed the following websites with no luck...all appear to be doing essentially the same thing that I am and implementing the differences yields the same result.

http://social.msdn.microsoft.com/forums/en-US/vbgeneral/thread/2d7d8115-a2ea-4d02-927b-667b20c047db/

http://social.msdn.microsoft.com/Forums/en-US/clr/thread/fd055d60-e030-4edc-b7a9-1962d6f7339e

http://www.pinvoke.net/default.aspx/advapi32/LsaAddAccountRights.html

http://pinvoke.net/default.aspx/advapi32/LsaOpenPolicy.html

Please help!

Here is the cleaned up code:

if (LSAUtility.SetRight(accountName, "SeServiceLogonRight", out errorMessage) == 0)

{

System.Windows.Forms.MessageBox.Show("The account " + accountName + " has been granted the Log On As A Service right.", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);

} // end if

else

{

System.Windows.Forms.MessageBox.Show("The Log On As A Service right was not added due to the following error: " + errorMessage, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);

} // end else

----------------------------------------------

using System;

using System.Runtime.InteropServices; // DllImport

using System.Text;

namespace MyUtils

{

/// <summary>

/// The Local Security Authority (LSA) Utility

/// </summary>

public class LSAUtility

{

#region Import the LSA functions

[DllImport("advapi32.dll", PreserveSig = true)]

private static extern Int32 LsaOpenPolicy(ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, Int32 DesiredAccess, out IntPtr PolicyHandle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true, PreserveSig = true)]

private static extern bool LookupAccountName(string lpSystemName, string lpAccountName, IntPtr psid, ref int cbsid, StringBuilder domainName, ref int cbdomainLength, ref int use);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

private static extern Int32 LsaAddAccountRights(IntPtr PolicyHandle, IntPtr AccountSid, LSA_UNICODE_STRING UserRights, int CountOfRights);

[DllImport("advapi32.dll")]

private static extern bool IsValidSid(IntPtr pSid);

[DllImport("advapi32")]

public static extern void FreeSid(IntPtr pSid);

[DllImport("advapi32.dll")]

private static extern Int32 LsaClose(IntPtr ObjectHandle);

[DllImport("advapi32.dll")]

private static extern Int32 LsaNtStatusToWinError(Int32 status);

[DllImport("kernel32.dll")]

private static extern int GetLastError();

#endregion Import the LSA functions

#region Structures

#region LSA_OBJECT_ATTRIBUTES

[StructLayout(LayoutKind.Sequential)]

private struct LSA_OBJECT_ATTRIBUTES

{

public IntPtr RootDirectory;

public IntPtr SecurityDescriptor;

public IntPtr SecurityQualityOfService;

public LSA_UNICODE_STRING ObjectName;

public UInt32 Attributes;

public UInt32 Length;

} // LSA_OBJECT_ATTRIBUTES

#endregion LSA_OBJECT_ATTRIBUTES

#region LSA_UNICODE_STRING

[StructLayout(LayoutKind.Sequential)]

private struct LSA_UNICODE_STRING

{

public IntPtr Buffer;

public UInt16 Length;

public UInt16 MaximumLength;

} // LSA_UNICODE_STRING

#endregion LSA_UNICODE_STRING

#endregion Structures

#region Enumeration

#region LSA_AccessPolicy

private enum LSA_AccessPolicy : long

{

POLICY_AUDIT_LOG_ADMIN = 0x00000200L,

POLICY_CREATE_ACCOUNT = 0x00000010L,

POLICY_CREATE_PRIVILEGE = 0x00000040L,

POLICY_CREATE_SECRET = 0x00000020L,

POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,

POLICY_LOOKUP_NAMES = 0x00000800L,

POLICY_NOTIFICATION = 0x00001000L,

POLICY_SERVER_ADMIN = 0x00000400L,

POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,

POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,

POLICY_TRUST_ADMIN = 0x00000008L,

POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,

POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L

} // LSA_AccessPolicy

#endregion LSA_AccessPolicy

#endregion Enumeration

#region Methods

/// <summary>Adds a privilege to an account</summary>

/// <param name="accountName">Name of an account - "domain\account" or only "account"</param>

/// <param name="privilegeName">Name of the privilege</param>

/// <returns>The windows error code returned by LsaAddAccountRights</returns>

public static Int32 SetRight(string accountName, string privilegeName, out string errorMessage)

{

int accountType = 0; // account-type variable for lookup

int nameSize = 0; // size of the domain name

int sidSize = 0; // size of the SID

IntPtr sid = IntPtr.Zero; // pointer for the SID

Int32 winErrorCode = 0; // contains the last error

StringBuilder domainName = null; // StringBuilder for the domain name

errorMessage = "";

// get required buffer size

LookupAccountName(null, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);

// allocate buffers

domainName = new StringBuilder(nameSize);

sid = Marshal.AllocHGlobal(sidSize);

// lookup the SID for the account

if (!LookupAccountName(null, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType))

{

winErrorCode = GetLastError();

errorMessage = "An error occurred while Looking up the Account Name, Error Code: " + winErrorCode;

} // end if

else

{

// combine all policies

int access = (int) (LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |

LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |

LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |

LSA_AccessPolicy.POLICY_CREATE_SECRET |

LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |

LSA_AccessPolicy.POLICY_LOOKUP_NAMES |

LSA_AccessPolicy.POLICY_NOTIFICATION |

LSA_AccessPolicy.POLICY_SERVER_ADMIN |

LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |

LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |

LSA_AccessPolicy.POLICY_TRUST_ADMIN |

LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |

LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION);

// Operation result

Int32 result;

// initialize a pointer for the policy handle

IntPtr policyHandle = IntPtr.Zero;

// initialize an empty unicode-string

LSA_UNICODE_STRING systemName = new LSA_UNICODE_STRING();

// this variable and it's attributes are not used, but LsaOpenPolicy wants them to exists

LSA_OBJECT_ATTRIBUTES ObjectAttributes = new LSA_OBJECT_ATTRIBUTES();

// get a policy handle

result = LsaOpenPolicy(ref systemName, ref ObjectAttributes, access, out policyHandle);

winErrorCode = LsaNtStatusToWinError(result);

if (winErrorCode != 0)

{

errorMessage = "An error occurred while opening the policy, Error Code: " + winErrorCode;

} // end if

else // Now that we have the SID and the policy, we can add the right to the account.

{

// initialize a unicode-string for the privilege name

LSA_UNICODE_STRING userRight = new LSA_UNICODE_STRING();

userRight.Buffer = Marshal.StringToHGlobalUni(privilegeName);

userRight.Length = (UInt16) (privilegeName.Length * UnicodeEncoding.CharSize);

userRight.MaximumLength = (UInt16) ((privilegeName.Length + 1) * UnicodeEncoding.CharSize);

// add the right to the account

result = LsaAddAccountRights(policyHandle, sid, userRight, 1);

winErrorCode = LsaNtStatusToWinError(result);

if (winErrorCode != 0)

{

errorMessage = "An error occurred while adding the account right, Error Code: " + winErrorCode;

} // end if

Marshal.FreeHGlobal(userRight.Buffer);

LsaClose(policyHandle);

} // end else

FreeSid(sid);

} // end else

return winErrorCode;

} // SetRight()

#endregion Methods

} // class LSAUtility

} // namespace MyUtils

Re: Error adding "Logon As Service" right to User Account

sullivrp3-Jun-09 8:48

sullivrp

3-Jun-09 8:48

Ok, ok, ok.....be prepared for the stupidest fix ever.....in the LSA_UNICODE_STRING structure, public IntPtr Buffer has to be declared after Length and MaximumLength! Don't ask me why, because I don't know and I really don't care...actually I do care, but just don't know why.

In the posted code above I had changed userRight from an array to a variable; however, apparently the websites that I visited which stated that it did not have to be an array are wrong as I did have to change back to an array in order to get it to work.

The updated code is listed below so that others hopefully don't have to waste as much time as I have searching for a simple solution to the problem at hand.

using System;
using System.Runtime.InteropServices; // DllImport
using System.Text;

namespace myUtils
{

/// <summary>
/// The Local Security Authority (LSA) Utility
/// </summary>

public class LSAUtility
{

#region Import the LSA functions

[DllImport("advapi32.dll", PreserveSig = true)]
private static extern Int32 LsaOpenPolicy(ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, Int32 DesiredAccess, out IntPtr PolicyHandle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true, PreserveSig = true)]
private static extern bool LookupAccountName(string lpSystemName, string lpAccountName, IntPtr psid, ref int cbsid, StringBuilder domainName, ref int cbdomainLength, ref int use);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
private static extern Int32 LsaAddAccountRights(IntPtr PolicyHandle, IntPtr AccountSid, LSA_UNICODE_STRING[] UserRights, int CountOfRights);

[DllImport("advapi32.dll")]
private static extern bool IsValidSid(IntPtr pSid);

[DllImport("advapi32")]
public static extern void FreeSid(IntPtr pSid);

[DllImport("advapi32.dll")]
private static extern Int32 LsaClose(IntPtr ObjectHandle);

[DllImport("advapi32.dll")]
private static extern Int32 LsaNtStatusToWinError(Int32 status);

[DllImport("kernel32.dll")]
private static extern int GetLastError();

#endregion Import the LSA functions

#region Structures

#region LSA_OBJECT_ATTRIBUTES

[StructLayout(LayoutKind.Sequential)]
private struct LSA_OBJECT_ATTRIBUTES
{

public int Attributes;
public int Length;

public IntPtr RootDirectory;
public IntPtr SecurityDescriptor;
public IntPtr SecurityQualityOfService;

public LSA_UNICODE_STRING ObjectName;

} // LSA_OBJECT_ATTRIBUTES

#endregion LSA_OBJECT_ATTRIBUTES

#region LSA_UNICODE_STRING

[StructLayout(LayoutKind.Sequential)]
private struct LSA_UNICODE_STRING
{

public UInt16 Length;
public UInt16 MaximumLength;

// NOTE: Buffer has to be declared after Length and MaximumLength;
// otherwise, you will get winErrorCode: 1734 (The array bounds are invalid.)
// and waste lots of time trying to track down what causes the error!
public IntPtr Buffer;

} // LSA_UNICODE_STRING

#endregion LSA_UNICODE_STRING

#endregion Structures

#region Enumeration

#region LSA_AccessPolicy

private enum LSA_AccessPolicy : long
{

POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
POLICY_TRUST_ADMIN = 0x00000008L,
POLICY_CREATE_ACCOUNT = 0x00000010L,
POLICY_CREATE_SECRET = 0x00000020L,
POLICY_CREATE_PRIVILEGE = 0x00000040L,
POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
POLICY_SERVER_ADMIN = 0x00000400L,
POLICY_LOOKUP_NAMES = 0x00000800L,
POLICY_NOTIFICATION = 0x00001000L

} // LSA_AccessPolicy

#endregion LSA_AccessPolicy

#endregion Enumeration

#region Methods

/// <summary>Adds a privilege to an account</summary>
/// <param name="accountName">Name of an account - "domain\account" or only "account"</param>
/// <param name="privilegeName">Name of the privilege</param>
/// <returns>The windows error code returned by LsaAddAccountRights</returns>
public static Int32 SetRight(string accountName, string privilegeName, out string errorMessage)
{

int accountType = 0; // account-type variable for lookup
int nameSize = 0; // size of the domain name
int sidSize = 0; // size of the SID

IntPtr sid = IntPtr.Zero; // pointer for the SID

Int32 winErrorCode = 0; // contains the last error

StringBuilder domainName = null; // StringBuilder for the domain name

errorMessage = "";

// get required buffer size
LookupAccountName(null, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);

// allocate buffers
domainName = new StringBuilder(nameSize);

sid = Marshal.AllocHGlobal(sidSize);

// lookup the SID for the account
if (!LookupAccountName(null, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType))
{
winErrorCode = GetLastError();

errorMessage = "An error occurred while Looking up the Account Name, Error Code: " + winErrorCode;
} // end if

else
{
// combine all policies
int access = (int) (LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |
LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |
LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |
LSA_AccessPolicy.POLICY_CREATE_SECRET |
LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |
LSA_AccessPolicy.POLICY_LOOKUP_NAMES |
LSA_AccessPolicy.POLICY_NOTIFICATION |
LSA_AccessPolicy.POLICY_SERVER_ADMIN |
LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |
LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |
LSA_AccessPolicy.POLICY_TRUST_ADMIN |
LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |
LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION);

Int32 result; // Operation result

IntPtr policyHandle = IntPtr.Zero; // initialize a pointer for the policy handle

LSA_UNICODE_STRING systemName = new LSA_UNICODE_STRING(); // initialize an empty unicode-string

// this variable and it's attributes are not used, but LsaOpenPolicy wants them to exists
LSA_OBJECT_ATTRIBUTES ObjectAttributes = new LSA_OBJECT_ATTRIBUTES();

// get a policy handle
result = LsaOpenPolicy(ref systemName, ref ObjectAttributes, access, out policyHandle);

winErrorCode = LsaNtStatusToWinError(result);

if (winErrorCode != 0)
{
errorMessage = "An error occurred while opening the policy, Error Code: " + winErrorCode;
} // end if

else // Now that we have the SID and the policy, we can add the right to the account.
{
// initialize a unicode-string for the privilege name
LSA_UNICODE_STRING[] userRights = new LSA_UNICODE_STRING[1];

userRights[0] = new LSA_UNICODE_STRING();
userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName);
userRights[0].Length = (UInt16) (privilegeName.Length * UnicodeEncoding.CharSize);
userRights[0].MaximumLength = (UInt16) ((privilegeName.Length + 1) * UnicodeEncoding.CharSize);

// add the right to the account
result = LsaAddAccountRights(policyHandle, sid, userRights, 1);

winErrorCode = LsaNtStatusToWinError(result);

if (winErrorCode != 0)
{
errorMessage = "An error occurred while adding the account right, Error Code: " + winErrorCode;
} // end if

Marshal.FreeHGlobal(userRights[0].Buffer);

LsaClose(policyHandle);
} // end else

FreeSid(sid);
} // end else

return winErrorCode;

} // SetRight()

#endregion Methods

} // class LSAUtility
} // namespace myUtils

Re: Error adding "Logon As Service" right to User Account

Corinna John3-Jun-09 9:14

Corinna John

3-Jun-09 9:14

Hi,

that's because of the unmanaged structure layout. You have to declare unmanaged types exactly as the Windows SDK headers do. They will be marshalled byte-by-byte. Wink | ;)

This statement is false.

Re: Error adding "Logon As Service" right to User Account

sullivrp3-Jun-09 10:22

sullivrp

3-Jun-09 10:22

If that is the case, why isn't there a problem with the LSA_OBJECT_ATTRIBUTES structure? I changed Attributes to an int and put it on top for alphabetical purposes and then pulled the ObjectName variable to the bottom so that all of the IntPtr variables would be together?

Confused | :confused:

Re: Error adding "Logon As Service" right to User Account

Corinna John3-Jun-09 10:51

Corinna John

3-Jun-09 10:51

I cannot see where you fill the LSA_OBJECT_ATTRIBUTES structure yourself. You only pass it by ref to a function that expects a certain the unmanaged layout (and behaves as if it were so). All variables in the structure are initialized to the same value '0', so the external function doesn't notice that something is wrong. And you never read the structure's values, so you don't notice that there's something wrong.

Yes, there would be a bad problem, if you actually used the structure as you declared it. It didn't yet happen, because you only pass on a row of zeros.

This statement is false.

Re: Error adding "Logon As Service" right to User Account

sullivrp4-Jun-09 5:39

sullivrp

4-Jun-09 5:39

Good deal...you just confirmed what a fellow employee was explaining to me. He was saying that it probably isn't causing a problem now but somewhere down the road it might start causing random errors b/c when implementing structures, etc. from API's, the code is expected to exist in a specific order and if things have been moved / types have been changed various problems can arise.

That got me to thinking that probably the reason why I am not currently getting an error message is due to the fact that I don't really ever use that structure. I am going to change the LSA_OBJECT_ATTRIBUTES structure back to what you originally had in order to prevent any future problems that might occur. I guess this is a case where being a bit anal / OCD can cause unforseen problems! :-P

[StructLayout(LayoutKind.Sequential)]
private struct LSA_OBJECT_ATTRIBUTES
{

public int Length;

public IntPtr RootDirectory;

public LSA_UNICODE_STRING ObjectName;

public UInt32 Attributes;

public IntPtr SecurityDescriptor;

public IntPtr SecurityQualityOfService;

} // LSA_OBJECT_ATTRIBUTES

Thanks,

Ryan

Re: Error adding "Logon As Service" right to User Account

ankyshah26-Jan-11 20:08

ankyshah

26-Jan-11 20:08

Hii..

Try the exe run as administrator..

how give user'privilege to a programm ?

vincent3120-Oct-06 6:45

vincent31

20-Oct-06 6:45

hello,

how to give to a programm the privilege of an user ?

I'am using remore server (ipcchannel).

1)the remote server is launch by windows service :
when user insert usb device (a key) the server cannot eject this device.

2)I launch the serveur myself directly( with user account )
when user insert usb device (a key) the server can eject this device.

how to give privilege to the server ?

An idea ?
thanks

Vincent

Re: how give user'privilege to a programm ?

vincent3120-Oct-06 7:57

vincent31

20-Oct-06 7:57

I'm programming with C#, program run under windows 2000
thanks again
Vincent

LsaNtStatusToWinError work incorect.

Seregil15-Jun-06 1:02

Seregil

15-Jun-06 1:02

LsaNtStatusToWinError work incorect.
Need next change:
[DllImport("advapi32.dll")]
private static extern uint LsaNtStatusToWinError(uint status);
[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
private static extern uint LsaAddAccountRights(
IntPtr PolicyHandle,
IntPtr AccountSid,
LSA_UNICODE_STRING[] UserRights,
long CountOfRights);

Sorry, bad english.

Changing Domain Group Policy

Scott S.22-May-06 5:29

Scott S.

22-May-06 5:29

Corinna,

Its nice to run across articles that remain relevant long after they were written ... good one!

I am attempting to update an existing VB6 application that automates a very involved installation of a server product. It creates user accounts, groups, files, file shares, DCOM components, and COM+ applications and proxies, etc.
It works just fine in work groups and in Win2k domains, but in a Windows 2003 domain the server only runs for a little while after installation.

I determined that it is because during the installation of the COM+ application, the account used as it's identity is implicitly set into the local security policy with the "Log on as batch job" privilege. But in the W2003 domain the overriding global policy proceeds to write over that change to local policy. Seems to do it periodically even without the system restarting.

Anyway, I wanted to know if I could use these calls to give the server's identity account the "Log on a batch job" privilege in the domains Global Policy for Local Security Settings? And it so, what would the calls look like parameter wise? I shouldn't have any trouble porting sample code to VB6 even though I'm a C/C++/C# guy.

Ciao,
Scott

General

News

Suggestion

Question

Bug

Answer

Joke

Praise

Rant

Admin

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Tagged as

Stats

LSA Functions - Privileges and Impersonation

Introduction

SIDs, Policies and Rights

More LSA

Using the code

License

Share

About the Author

Comments and Discussions