Warning! Newbie issue - Impersonating a user on Win32
Mark Hammond
mhammond at skippinet.com.au
Fri Jan 17 19:44:04 EST 2003
Doug Glenn wrote:
> On Thursday 16 January 2003 18:40, Roger Upole wrote:
>
>>What error do you get when you try to adjust SE_TCB_NAME ?
>
>
> I have it working now. As is, it will not grant the SE_TCB_NAME, it had
> to be done manually to the local policy. I get a 1300 error attempting
> to set it. Once I set the "act as operating system" to the appropriate
> group it would work. I do not know if this is set by a default
> installation or not. I do know we don't have it set, and apparently our
> policy does not remove it either. I don't use Win2k at home to verify
> what the default install would set it to.
>
> If it is supposed to be able to set that, then that functionality no
> longer works. At least in the version of ActivePython 2.2.2 from
> ActiveState with the bundled version of the Pywin stuff. I can't
> install the seperate version because it blows up Komodo unless I remove
> it and reinstall the AS version :(
>
> Obviously I would rather be able to grant the rights via the program.
> Going through a policy change review at work to get it set is not a
> workable solution just for this one app.
A google search for LogonUserEx and AdjustTokenPrivileges will yield
some results indicating this is a mess.
From what I can see, only the LocalSystem account has this privilege,
and a number of MS documents warn against enabling this for other
accounts as it is a security risk. People have even gone so far as to
suggest the only acceptable way to do this is to write a service
(running as LocalSystem) and have this go the grunt work. Indeed, I
believe this is exactly how MSI does it.
I would be very very surprised if you find this a Python issue, or that
different (fairly recent) versions of the Win32 extensions behave
differently.
Mark.
More information about the Python-list
mailing list