Enumerating user of a domain from a service
-
Hi all, I want to enumerate all the users in the domain from my service. I tried using NetUserEnum and NetQueryDisplayInformation functions but it fails with access denied. When i run the functions from the console application, it works fine but from my service (which runs under local system account) it fails......How do i get around this???.....Is there some other way of enumerating users of a domain from the service??? kunal
-
Hi all, I want to enumerate all the users in the domain from my service. I tried using NetUserEnum and NetQueryDisplayInformation functions but it fails with access denied. When i run the functions from the console application, it works fine but from my service (which runs under local system account) it fails......How do i get around this???.....Is there some other way of enumerating users of a domain from the service??? kunal
ku19832001 wrote:
but from my service (which runs under local system account) it fails......
Then run your service from an account with sufficient access rights :)
"If you can dodge a wrench, you can dodge a ball."
-
ku19832001 wrote:
but from my service (which runs under local system account) it fails......
Then run your service from an account with sufficient access rights :)
"If you can dodge a wrench, you can dodge a ball."
I didnt get it...i thought local system account is the most powerful account with all the rights.....I guess only problem is that only authenticated users are allowed to query the domain but in this local system is not a authenticated user.....Is there some other way of enumeration??
-
I didnt get it...i thought local system account is the most powerful account with all the rights.....I guess only problem is that only authenticated users are allowed to query the domain but in this local system is not a authenticated user.....Is there some other way of enumeration??
If it's a security issue then it should fail regardless of what method you use to enumerate. I would first verify that security is the problem - a breakpoint and check the error code should do it. The LocalSystem account may have high priveledges on the local computer but not on the network. Actually, I'm pretty sure you can't access the network with that account anymore (I may be confusing it with another account). It's recommended these days to use specific accounts to run services under which have just the needed access rights and no more. Mark
"If you can dodge a wrench, you can dodge a ball."
-
If it's a security issue then it should fail regardless of what method you use to enumerate. I would first verify that security is the problem - a breakpoint and check the error code should do it. The LocalSystem account may have high priveledges on the local computer but not on the network. Actually, I'm pretty sure you can't access the network with that account anymore (I may be confusing it with another account). It's recommended these days to use specific accounts to run services under which have just the needed access rights and no more. Mark
"If you can dodge a wrench, you can dodge a ball."
As i said in previous post...i checked the return code and it said....access denied..so i know the problem now...since local system is not authenticated to query the domain, the api will fail... According to what you are saying, i need to add an (fake) account to the network and then run the service under that fake account to query the domain....this really doesnt look that great idea because then what i means 1) i am adding a non existent user in the network 2) all machines on the domain where my service is running will need to have that account in local machines (which can be a big risk) So is there some other way of doing it?? kunal
-
As i said in previous post...i checked the return code and it said....access denied..so i know the problem now...since local system is not authenticated to query the domain, the api will fail... According to what you are saying, i need to add an (fake) account to the network and then run the service under that fake account to query the domain....this really doesnt look that great idea because then what i means 1) i am adding a non existent user in the network 2) all machines on the domain where my service is running will need to have that account in local machines (which can be a big risk) So is there some other way of doing it?? kunal
ku19832001 wrote:
As i said in previous post...i checked the return code and it said....access denied
Sorry about that :) There's no more risk really. If it worked from the console (meaning you had adequate permission) and every other user has the permissions then there's no difference. I trust services I write WAY more than I'd trust any user with enhanced privileges. Only the service runs in the context of the "fake" account, not the users that log in on the machine. I'm rusty on my limited IT skills but on a domain can't an account be created on the domain server and managed there instead of having to add an account to every machine? Yes managing extra accounts is a pain - you can thank all the hackers that have taken advantage of security holes in Windows for that. The localsystem acount used to have many more privileges. :sigh: Mark -- modified at 15:32 Sunday 1st April, 2007 fixed some splelling errors
"If you can dodge a wrench, you can dodge a ball."