DirectoryServices - NT authentication

Hi Ruchi The administrator (hopefully you) of the AD can change the setting that "locks out accounts on X failed login attempts". This would solve your problem. Also, you could try the Win32 Logon user function, although I would presume that it will cause the exact same error, as your error is not an error but an AD feature. The following code will log in a user account. The token returned can be used to make ur code impersonate the specific user account, calling System.Security.Principal.WindowsIdentity.Impersonate((System.IntPtr)token), if you should ever need that. If the account is invalid, you should recieve a 0 in the token returned from the function, as well as an error in the error variable. [DllImport("advapi32.dll", SetLastError=true) ] public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, outint phToken); [DllImport("C:\\Windows\\System32\\Kernel32.dll")] public static extern int GetLastError(); public static int LogonWindowsUser(string username, string domain, string password) { int token; bool isLoggedin = LogonUser(username, domain, password, 3, 0, out token); int error = GetLastError(); return token; } /Zalkina

Hi Nick Thanx for your reply! Im used to checking user group memberships, as you specified in your second exaxple. However, this is a app for company, which would never ever allow me to change the structure of their Active Directory, adding my own groups etc. I must find out how to check for the specific "SeServiceLogonRight" right on a user account. The reason I need to check for this right is that I during install of a service prompt for a username/password, under which the service is configured and started. However, before allowing the user to bypass the install form prompting for the credentials, I want to make sure that the entered user credentials will actually work for the service "run as" credentials. Besides this, its quite interesting on a general level for me (and others) to know how to actually check a user account for specific WinNT rights. The System.Secirity namespace obviously lacks functionality for this, and one is left to the mercy of the Win32 API. Documentation clearly shows that for right checks one should use the LsaEnumerateAccountRights function. However, when I import it as you specified in your first code snippet, Im unable to determine what parameters I need to supply for it to work. So, Im still not able to get my check down on code. But maby you, being more experienced than me (no MC++ exp what-so-ever) would be able to? I challenge you to, given a user name and the corresponding password, to write a function, checking for the "SeServiceLogonRight" (or any other right for that matter) :-) Or simply to sucessfully call the LsaEnumerateAccountRights function on a user account, as I should be able to evaluate the resulting string array of rights myself ... /Zalkina

Hi folks, Im building an application that at some point accepts a user name and password. I want to check that a) this user is indeed a valid user and b) that the user account has the right to "Log On as a service" to the local machine on which the application runs. The first part is easily accomplished by using the advapi32.dll - LogonUser function in an example I found elsewhere. However, how to check if the user account has the "Log on as a service" right (SeServiceLogonRight)? Ive found out that I (probably) need to once again DllImport a function from advapi32.dll, and that this time it is the "LsaEnumerateAccountRights" function, which I should use to retrieve a list of rights, associated with the user. However, I cant quite get this to work! Could anyone provide me with a working c# example for performing the above check, I would be very grateful! /Zalkina