How to detect user logon rights on win2k/xp?

Archived from groups: microsoft.public.win2000.security (More info?)

These are rights defined in NTSecAPI.h as the following:

#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
#define SE_DENY_INTERACTIVE_LOGON_NAME
TEXT("SeDenyInteractiveLogonRight")
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
#define SE_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeRemoteInteractiveLogonRight")
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
TEXT("SeDenyRemoteInteractiveLogonRight")

Please advise - I stayed up the whole night and couldn't find any solutions
other than enumerating all its parent group tree!

Thanks!

Tim
3 answers Last reply
More about detect user logon rights win2k
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "Tim" <tzhong@hotmail.com> wrote in message
    news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
    > These are rights defined in NTSecAPI.h as the following:
    >
    > #define SE_INTERACTIVE_LOGON_NAME
    TEXT("SeInteractiveLogonRight")
    > #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
    > #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
    > #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
    > #define SE_DENY_INTERACTIVE_LOGON_NAME
    > TEXT("SeDenyInteractiveLogonRight")
    > #define SE_DENY_NETWORK_LOGON_NAME
    TEXT("SeDenyNetworkLogonRight")
    > #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
    > #define SE_DENY_SERVICE_LOGON_NAME
    TEXT("SeDenyServiceLogonRight")
    > #define SE_REMOTE_INTERACTIVE_LOGON_NAME
    > TEXT("SeRemoteInteractiveLogonRight")
    > #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
    > TEXT("SeDenyRemoteInteractiveLogonRight")
    >
    > Please advise - I stayed up the whole night and couldn't find any
    solutions
    > other than enumerating all its parent group tree!

    It is not clear what you wish to do, but you will
    like receive more (and better) answers on one of the
    programming groups since it does seem you are trying
    to write an application in C.

    FYI: If you are trying to see what rights a particular
    user has you might wish to check that user's security
    access token.

    --
    Herb Martin


    >
    > Thanks!
    >
    > Tim
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Herb,

    Thanks for your quick response. sorry I didn't make it very clear, and here
    it's what I am trying to achieve:

    On win2k each user has his own "local security policy" settings, and among
    them there are several "logon rights", such as "log on as a service", "log
    on locally", etc. Adding or removing such a privilege can be easily done by
    calling functions like "LsaAdd/RemoveAccountRights()". These privileges have
    names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.

    There is also a function called "LsaEnumerateAccountRights()" - it, however,
    only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
    return those rights inherited from the groups the user belongs to. So my
    question is, is there any simple way to find out all privileges, directly
    owned or inherited, without iterating through all parent (and grandparent)
    groups?

    Thanks again!

    Tie
    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:euEhs8L$EHA.2076@TK2MSFTNGP15.phx.gbl...
    > "Tim" <tzhong@hotmail.com> wrote in message
    > news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
    >> These are rights defined in NTSecAPI.h as the following:
    >>
    >> #define SE_INTERACTIVE_LOGON_NAME
    > TEXT("SeInteractiveLogonRight")
    >> #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
    >> #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
    >> #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
    >> #define SE_DENY_INTERACTIVE_LOGON_NAME
    >> TEXT("SeDenyInteractiveLogonRight")
    >> #define SE_DENY_NETWORK_LOGON_NAME
    > TEXT("SeDenyNetworkLogonRight")
    >> #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
    >> #define SE_DENY_SERVICE_LOGON_NAME
    > TEXT("SeDenyServiceLogonRight")
    >> #define SE_REMOTE_INTERACTIVE_LOGON_NAME
    >> TEXT("SeRemoteInteractiveLogonRight")
    >> #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
    >> TEXT("SeDenyRemoteInteractiveLogonRight")
    >>
    >> Please advise - I stayed up the whole night and couldn't find any
    > solutions
    >> other than enumerating all its parent group tree!
    >
    > It is not clear what you wish to do, but you will
    > like receive more (and better) answers on one of the
    > programming groups since it does seem you are trying
    > to write an application in C.
    >
    > FYI: If you are trying to see what rights a particular
    > user has you might wish to check that user's security
    > access token.
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> Thanks!
    >>
    >> Tim
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Tim" <tzhong@hotmail.com> wrote in message
    news:#MQSpHN$EHA.2112@TK2MSFTNGP14.phx.gbl...
    > Herb,
    >
    > Thanks for your quick response. sorry I didn't make it very clear, and
    here
    > it's what I am trying to achieve:
    >
    > On win2k each user has his own "local security policy" settings, and among
    > them there are several "logon rights", such as "log on as a service", "log
    > on locally", etc. Adding or removing such a privilege can be easily done
    by
    > calling functions like "LsaAdd/RemoveAccountRights()". These privileges
    have
    > names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.

    Yes, those rights calculated at logon and returned (from the DC
    etc.) as part of the Security Access Token which is why I
    suggested investigating that.

    > There is also a function called "LsaEnumerateAccountRights()" - it,
    however,
    > only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
    > return those rights inherited from the groups the user belongs to.

    The Security Access Token must have all of them.
    (except for possibly Special Groups like Everyone.)

    > So my
    > question is, is there any simple way to find out all privileges, directly
    > owned or inherited, without iterating through all parent (and grandparent)
    > groups?

    Without having the user logged on?

    No. It is calculated at each User logon when the list of
    SIDs (personal and groups) are accumulated (again this
    is used to create the Security Access Token.)


    --
    Herb Martin


    "Tim" <tzhong@hotmail.com> wrote in message
    news:#MQSpHN$EHA.2112@TK2MSFTNGP14.phx.gbl...
    > Herb,
    >
    > Thanks for your quick response. sorry I didn't make it very clear, and
    here
    > it's what I am trying to achieve:
    >
    > On win2k each user has his own "local security policy" settings, and among
    > them there are several "logon rights", such as "log on as a service", "log
    > on locally", etc. Adding or removing such a privilege can be easily done
    by
    > calling functions like "LsaAdd/RemoveAccountRights()". These privileges
    have
    > names like "SeServiceLogonRight", "SeDenyInteractiveLogonRight", etc.
    >
    > There is also a function called "LsaEnumerateAccountRights()" - it,
    however,
    > only goes through the privileges the user DIRECTLY owns, i.e., it does NOT
    > return those rights inherited from the groups the user belongs to. So my
    > question is, is there any simple way to find out all privileges, directly
    > owned or inherited, without iterating through all parent (and grandparent)
    > groups?
    >
    > Thanks again!
    >
    > Tie
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:euEhs8L$EHA.2076@TK2MSFTNGP15.phx.gbl...
    > > "Tim" <tzhong@hotmail.com> wrote in message
    > > news:ejoMeDK$EHA.2568@TK2MSFTNGP10.phx.gbl...
    > >> These are rights defined in NTSecAPI.h as the following:
    > >>
    > >> #define SE_INTERACTIVE_LOGON_NAME
    > > TEXT("SeInteractiveLogonRight")
    > >> #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
    > >> #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
    > >> #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
    > >> #define SE_DENY_INTERACTIVE_LOGON_NAME
    > >> TEXT("SeDenyInteractiveLogonRight")
    > >> #define SE_DENY_NETWORK_LOGON_NAME
    > > TEXT("SeDenyNetworkLogonRight")
    > >> #define SE_DENY_BATCH_LOGON_NAME
    TEXT("SeDenyBatchLogonRight")
    > >> #define SE_DENY_SERVICE_LOGON_NAME
    > > TEXT("SeDenyServiceLogonRight")
    > >> #define SE_REMOTE_INTERACTIVE_LOGON_NAME
    > >> TEXT("SeRemoteInteractiveLogonRight")
    > >> #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME
    > >> TEXT("SeDenyRemoteInteractiveLogonRight")
    > >>
    > >> Please advise - I stayed up the whole night and couldn't find any
    > > solutions
    > >> other than enumerating all its parent group tree!
    > >
    > > It is not clear what you wish to do, but you will
    > > like receive more (and better) answers on one of the
    > > programming groups since it does seem you are trying
    > > to write an application in C.
    > >
    > > FYI: If you are trying to see what rights a particular
    > > user has you might wish to check that user's security
    > > access token.
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> Thanks!
    > >>
    > >> Tim
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Windows XP Windows