User rights in .NET
-
Hi folks, Im building an application that at some point accepts a user name and password. I want to check that a) this user is indeed a valid user and b) that the user account has the right to "Log On as a service" to the local machine on which the application runs. The first part is easily accomplished by using the advapi32.dll - LogonUser function in an example I found elsewhere. However, how to check if the user account has the "Log on as a service" right (SeServiceLogonRight)? Ive found out that I (probably) need to once again DllImport a function from advapi32.dll, and that this time it is the "LsaEnumerateAccountRights" function, which I should use to retrieve a list of rights, associated with the user. However, I cant quite get this to work! Could anyone provide me with a working c# example for performing the above check, I would be very grateful! /Zalkina
-
Hi folks, Im building an application that at some point accepts a user name and password. I want to check that a) this user is indeed a valid user and b) that the user account has the right to "Log On as a service" to the local machine on which the application runs. The first part is easily accomplished by using the advapi32.dll - LogonUser function in an example I found elsewhere. However, how to check if the user account has the "Log on as a service" right (SeServiceLogonRight)? Ive found out that I (probably) need to once again DllImport a function from advapi32.dll, and that this time it is the "LsaEnumerateAccountRights" function, which I should use to retrieve a list of rights, associated with the user. However, I cant quite get this to work! Could anyone provide me with a working c# example for performing the above check, I would be very grateful! /Zalkina
You might try something like this but I haven't tested it.
[DllImport("advapi32.dll", SetLastError=true)]
static extern uint LsaEnumerateAccountRights(
IntPtr PolicyHandle,
IntPtr AccountSid,
out string[] UserRights,
out ulong CountOfRights);Another thought is that this would be a lot easier if done in a MC++ wrapper because the native types would be available to you, plus much easier to use in .NET afterwards. Yet another thought would be to place the user/users in a group, assign that group appropriate permissions and then you can easily check if that user is in the group:
AppDomain domain = Thread.GetDomain();
domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
IPrincipal p = Thread.CurrentPrincipal;
if(p.IsInRole("YourServiceRole"))
{
// do something here.
}- Nick Parker
My Blog | My Articles -
You might try something like this but I haven't tested it.
[DllImport("advapi32.dll", SetLastError=true)]
static extern uint LsaEnumerateAccountRights(
IntPtr PolicyHandle,
IntPtr AccountSid,
out string[] UserRights,
out ulong CountOfRights);Another thought is that this would be a lot easier if done in a MC++ wrapper because the native types would be available to you, plus much easier to use in .NET afterwards. Yet another thought would be to place the user/users in a group, assign that group appropriate permissions and then you can easily check if that user is in the group:
AppDomain domain = Thread.GetDomain();
domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
IPrincipal p = Thread.CurrentPrincipal;
if(p.IsInRole("YourServiceRole"))
{
// do something here.
}- Nick Parker
My Blog | My ArticlesHi Nick Thanx for your reply! Im used to checking user group memberships, as you specified in your second exaxple. However, this is a app for company, which would never ever allow me to change the structure of their Active Directory, adding my own groups etc. I must find out how to check for the specific "SeServiceLogonRight" right on a user account. The reason I need to check for this right is that I during install of a service prompt for a username/password, under which the service is configured and started. However, before allowing the user to bypass the install form prompting for the credentials, I want to make sure that the entered user credentials will actually work for the service "run as" credentials. Besides this, its quite interesting on a general level for me (and others) to know how to actually check a user account for specific WinNT rights. The System.Secirity namespace obviously lacks functionality for this, and one is left to the mercy of the Win32 API. Documentation clearly shows that for right checks one should use the LsaEnumerateAccountRights function. However, when I import it as you specified in your first code snippet, Im unable to determine what parameters I need to supply for it to work. So, Im still not able to get my check down on code. But maby you, being more experienced than me (no MC++ exp what-so-ever) would be able to? I challenge you to, given a user name and the corresponding password, to write a function, checking for the "SeServiceLogonRight" (or any other right for that matter) :-) Or simply to sucessfully call the LsaEnumerateAccountRights function on a user account, as I should be able to evaluate the resulting string array of rights myself ... /Zalkina
-
Hi Nick Thanx for your reply! Im used to checking user group memberships, as you specified in your second exaxple. However, this is a app for company, which would never ever allow me to change the structure of their Active Directory, adding my own groups etc. I must find out how to check for the specific "SeServiceLogonRight" right on a user account. The reason I need to check for this right is that I during install of a service prompt for a username/password, under which the service is configured and started. However, before allowing the user to bypass the install form prompting for the credentials, I want to make sure that the entered user credentials will actually work for the service "run as" credentials. Besides this, its quite interesting on a general level for me (and others) to know how to actually check a user account for specific WinNT rights. The System.Secirity namespace obviously lacks functionality for this, and one is left to the mercy of the Win32 API. Documentation clearly shows that for right checks one should use the LsaEnumerateAccountRights function. However, when I import it as you specified in your first code snippet, Im unable to determine what parameters I need to supply for it to work. So, Im still not able to get my check down on code. But maby you, being more experienced than me (no MC++ exp what-so-ever) would be able to? I challenge you to, given a user name and the corresponding password, to write a function, checking for the "SeServiceLogonRight" (or any other right for that matter) :-) Or simply to sucessfully call the LsaEnumerateAccountRights function on a user account, as I should be able to evaluate the resulting string array of rights myself ... /Zalkina
Zalkina wrote: I challenge you to, given a user name and the corresponding password, to write a function, checking for the "SeServiceLogonRight" (or any other right for that matter) Or simply to sucessfully call the LsaEnumerateAccountRights function on a user account, as I should be able to evaluate the resulting string array of rights myself ... Wouldn't the challenge be more beneficial if you were to challenge yourself, thus learning how the process works? Overall it shouldn't be too difficult. If you have questions along the way, feel free to post them here so we can help. :) - Nick Parker
My Blog | My Articles -
Hi folks, Im building an application that at some point accepts a user name and password. I want to check that a) this user is indeed a valid user and b) that the user account has the right to "Log On as a service" to the local machine on which the application runs. The first part is easily accomplished by using the advapi32.dll - LogonUser function in an example I found elsewhere. However, how to check if the user account has the "Log on as a service" right (SeServiceLogonRight)? Ive found out that I (probably) need to once again DllImport a function from advapi32.dll, and that this time it is the "LsaEnumerateAccountRights" function, which I should use to retrieve a list of rights, associated with the user. However, I cant quite get this to work! Could anyone provide me with a working c# example for performing the above check, I would be very grateful! /Zalkina
I'm not sure if this helps or not...but basically you find you have a 'valid user' by the pressence of the userID. ie. if they never logged into the network, they'd never have a credential. This is a snippet from my security manager
private static readonly string domainName = System.Environment.UserDomainName; private static readonly string userName = System.Environment.UserName; private static readonly string fullUserName = domainName + @"\\" + userName; private static readonly WindowsPrincipal currentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); /// /// Determines if user belongs to a given Windows user group name. /// /// Name of the user group to be checked. /// True if user belongs to the group. Otherwise false. public bool CheckUserGroup(string groupName) { return currentPrincipal.IsInRole(domainName + @"\\" + groupName); }This signature left intentionally blank