How to ImpersonateLoggedOnUser on Windows NT/2000?

David LeBlanc whisper at oz.net
Tue Jun 25 17:22:00 EDT 2002


> -----Original Message-----
> From: python-list-admin at python.org
> [mailto:python-list-admin at python.org]On Behalf Of Gary Herron
> Sent: Tuesday, June 25, 2002 10:35
> To: python-list at python.org
> Subject: How to ImpersonateLoggedOnUser on Windows NT/2000?
>
>
> Hi,
>
> I'm trying to write a script for both Windows NT/2000 and Linux which
> needs to perform actions on the behalf of several different users.
>
> On Linux I use "os.seteuid" and friends and all is fine.
>
> On NT the comparable thing seems to be LogonUser,
> ImpersonateLoggedOnUser, and RevertToSelf.  However for these calls to
> be successful, one needs various privileges, such as SE_TCB_NAME, and
> SE_CHANGE_NOTIFY_NAME..
>
> At this point I start getting lost, so I hope someone who has been
> through this can help me.  How can a Python program running as local
> administrator on Windows NT/2000 set those privileges, and then once
> set, how does one actually *do* the impersonation?
>
> Thank you,
> Dr. Gary Herron
>

After a quick look at MSDN, it looks like it goes like this on Win2000
Pro(psuedo C code):
1. Use Start | Programs | Administrative tools | Computer Management to add
a user.
2. Use Start | Programs | Administrative tools | Local Security Policy to
add the user to the desired access control list (which is backwards from the
way NT did it - you added priviledges to users).
3. This code:
PHandle userHandle;
LogonUser(user, domain, password, LOGON32_LOGON_BATCH,
LOGON32_PROVIDER_DEFAULT, userHandle);
// LOGON32_LOGON_BATCH can also be LOGON32_LOGON_INTERACTIVE
ImpersonateLoggedOnUser(userHandle);
// do whatever
RevertToSelf();	// or just exit to revert to self.

Presumably you've seen the discussion of this in the Python Win32 extensions
help?

After a bunch more reading in MSDN, it looks like the simplest way to have a
user with sufficient priveledges is to use the GUI tools to create such a
user and then impersonate it. I suspect the programmatic way is to create
Access Control Lists and Security Descriptors - and MSDN doesn't connect the
dots for doing that. "Sufficient Priviledges" include both the user's
permissions and the permissions of the object the user is trying to
manipulate.

You might find this of interest: http://www.codeguru.com/system/Logon.shtml

I wish I could be more help - a way to do this 100% programmatically
interests me too.

Dave LeBlanc
Seattle, WA USA






More information about the Python-list mailing list