stackoom
  简体   繁体   中英

how to check Local Security Policy rights as non-admin

 原文  2015-06-22 23:56:54       c#/ pinvoke/ privileges

Question

Situation is a client system running c# code, that upon starting we wish to check and confirm that the windows identity running the system has certain specific privileges, current specific case is SeSystemtimePrivilege. We do not want the user to be required to be an admin for the system to start.

Paths attempted so far include:

  • WMI which did not get the set of rights we were after.

  • LsaEnumerateAccountsWithUserRight through PInvoke - which totally works, but requires admin rights to use LsaOpenPolicy.

  • GetTokenInformation through PInvoke, in conjunction with LookupPrivilegeName This did not return the desired results. Instead it returned just 5 privileges for the token, but did not include SeSystemtimePrivilege although it had been explicitly granted to the user in question. ( I am thinking it is showing me only rights from GP ? They are the same rights I see with a cmd WhoAmI /priv check.)
  • LookupPrivilegeValue through PInvoke, in conjunction with PrivilegeCheck, and this also only seems to have access to the same 5 rights as GetTokenInformation, and only returns true when said right is actually enabled.

I cannot figure out so far how to enable this right on my local machine to test that situation, but I don't think I can rely on it being other than default on client machines.

I am looking for more ideas of how to get at these user rights without having to have admin rights.

Ideas? Have I exhausted the options? That can't be so, can it?

1 answers

solution1
 0 ACCPTED  2015-06-24 16:58:23

The answer to my situation turned out to be the

  • GetTokenInformation through PInvoke, in conjunction with LookupPrivilegeName option.

So, the reason I was not getting full rights, was what I thought it was, the split token. As an admin, you get two tokens when running an app as non-elevated. This was hindering a complete workflow, until a manifest was involved. The key here to get the full admin rights we were after was to include a manifest with this line:

  • < requestedExecutionLevel level="highestAvailable" uiAccess="false" />

Then it becomes easier. The admin can run the app non-elevated, and the GetTokenInformation will return the full set of admin privileges, which will include our target SeSystemtimePrivilege (we are not on a system where anyone is restricting admin rights, ever). For a standard user, we explicitly grant them the SeSystemtimePrivilege in the Local Security Policy and then the right is returned in their token privileges as well.

Both situations remedied. It required setting up VMs to test the standard user and such, which was slow going due to other stuff. But anyhow, it does work, and satisfies our needs.

I hope this helps someone else!

Jen

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to accessing admin local data location from non-admin user? How to allow non-admin user to write to registry key HKEY_LOCAL_MACHINE\SOFTWARE\SWname\Licenses In C# how to stop/start/check whether registered or not if the Log On As account is of non-admin user? How to add security attributes for non admin rights account in creatnamedpipe method of win API MSI for non-admin users How to check admin rights C# Monitor new processes as a non-admin Where to put temporary, non-admin files? How to run a non-admin process from admin c# application How to determine what prevents an app from running non-elevated (non-admin)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM