Warning! Newbie issue - Impersonating a user on Win32

[Mark Hammond]

Doug Glenn wrote:
> On Thursday 16 January 2003 18:40, Roger Upole wrote:
> 
>>What error do you get when you try to adjust SE_TCB_NAME ?
> 
> 
> I have it working now. As is, it will not grant the SE_TCB_NAME, it had 
> to be done manually to the local policy.  I get a 1300 error attempting 
> to set it. Once I set the "act as operating system" to the appropriate 
> group it would work.  I do not know if this is set by a default 
> installation or not. I do know we don't have it set, and apparently our 
> policy does not remove it either.  I don't use Win2k at home to verify 
> what the default install would set it to.
> 
> If it is supposed to be able to set that, then that functionality no 
> longer works. At least in the version of ActivePython 2.2.2 from 
> ActiveState with the bundled version of the Pywin stuff. I can't 
> install the seperate version because it blows up Komodo unless I remove 
> it and reinstall the AS version :(
> 
> Obviously I would rather be able to grant the rights via the program. 
> Going through a policy change review at work to get it set is not a 
> workable solution just for this one app. 

A google search for LogonUserEx and AdjustTokenPrivileges will yield 
some results indicating this is a mess.

 From what I can see, only the LocalSystem account has this privilege, 
and a number of MS documents warn against enabling this for other 
accounts as it is a security risk.  People have even gone so far as to 
suggest the only acceptable way to do this is to write a service 
(running as LocalSystem) and have this go the grunt work.  Indeed, I 
believe this is exactly how MSI does it.

I would be very very surprised if you find this a Python issue, or that 
different (fairly recent) versions of the Win32 extensions behave 
differently.

Mark.