security - LsaEnumerateAccountRights always returns "File not found" -
I call the Advaspi32.dll LSAEnumerateAccountRights function with a policy handle from LsaOpenPolicy and account SID by LookupAccountName.
However, as much as I can, I am always bringing back 0xC0000034 which gives me the translation after LSATTTTOVIN ARR, "The referenced file can not be found."
Which is not very good. My code handles this and using LSAAddAccountRights, the account goes on granting subsidy to SeServiceLogonRight, so I know that the policy handles and account SID are OK because it will exit because there was something wrong with either of them.
The end result is that it has the right right to the account which works for the code.
However, I am using it under the MSI Custom Action, to check that the account is correct and if it (or fails in the above) gives it correct And remember that he did it in the established state, if there is a rollback and it is appropriately added then it is removed, we never remove it in an uninstall because second app is the same domain That can be installed using they may we use the services.
Then the problem occurs when an MSI rollbacks - it will always remove as correct, it always thinks that it has added it. Therefore the rights to use LsaEnumerateAccountRights are checked for this - but I can not do it at work.
Any ideas - please note that I am using C # to expose Win32 functions with the Delimport attribute, and I am not the best Win32 programmer in the world to be the first C # Unix is!
I am still struggling with it, but it has broken down ...
Ignore the back, I now see that there is a clue in the MSDN documentation: "The account given by this function has the specified privileges directly through the user account, not as part of the group being a member . "
See:
An account SID from LSAOpenPolicy () and LookupAccountName () you said correctly.
If the username you entered was a group's name ("user", "administrator", etc.) then LsaEnumerateAccountRights () works fine and calculates all rights of the group.
If you call it on the username whose rights are fully received, the groups of which it is a member, then it 0xc0000034 (= Windows Error 2 - can not specify the system "file" ), Which means (now that we feel) "can not get additional rights assigned personally." It seems that the Windows Error 2 translation is a catch- "what you wanted was not found".
Now ... if you have entrates.exa, then run it ... for example:
ntrights + r SeNetworkLogonRight -u MyUserName
After that, LsaEnumerateAccountRights () works fine, returns without error, and returns a single right value, "SenhorLogNrite".
Comments
Post a Comment