[python-win32] granting SeServiceLogonRight on a network account with pywin32?
Bill Janssen
janssen at parc.com
Thu Oct 14 22:59:37 CEST 2010
I've got an MSI installer for installing my UpLib server. I use the
following bit of code in a custom action to grant the user the right to
"log on as a service", so that the service can run under their user-id:
import win32api, win32security
username = win32api.GetUserNameEx(win32api.NameSamCompatible)
domain, username = username.split("\\")
policy_handle = win32security.LsaOpenPolicy(domain, win32security.POLICY_ALL_ACCESS)
sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
win32security.LsaAddAccountRights( policy_handle, sid_obj, ('SeServiceLogonRight',) )
win32security.LsaClose( policy_handle )
This seems to work fine if the user is running the installer from a
local machine account, but fails if they are running under their domain
network account:
Traceback (most recent call last):
File "c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py", line 410, in <module>
policy_handle = win32security.LsaOpenPolicy(domain, win32security.POLICY_ALL_ACCESS)
pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
I've tried this on a couple of machines, and it's the same on each.
Now, if that user opens up admin tools, then local security, then user
rights, he can give himself this right. So it's not a privilege problem;
I'm just not doing it right in Python.
So, how should I be doing it?
Bill
More information about the python-win32
mailing list