[python-win32] granting SeServiceLogonRight on a network account with pywin32?

Bill Janssen janssen at parc.com
Thu Oct 14 23:22:53 CEST 2010 

Tim Roberts <timr at probo.com> wrote:

>  Bill Janssen wrote:
> > I've got an MSI installer for installing my UpLib server.  I use the
> > following bit of code in a custom action to grant the user the right to
> > "log on as a service", so that the service can run under their user-id:
> >
> >     import win32api, win32security
> >
> >     username = win32api.GetUserNameEx(win32api.NameSamCompatible)
> >     domain, username = username.split("\\")
> >     policy_handle = win32security.LsaOpenPolicy(domain, win32security.POLICY_ALL_ACCESS)
> >     sid_obj, domain, tmp = win32security.LookupAccountName(domain, username)
> >     win32security.LsaAddAccountRights( policy_handle, sid_obj, ('SeServiceLogonRight',) )
> >     win32security.LsaClose( policy_handle )
> >
> > This seems to work fine if the user is running the installer from a
> > local machine account, but fails if they are running under their domain
> > network account:
> >
> > Traceback (most recent call last):
> >   File "c:\docume~1\foobar\locals~1\temp\tmpgmqdnh\win32\install-script.py", line 410, in <module>
> >     policy_handle = win32security.LsaOpenPolicy(domain, win32security.POLICY_ALL_ACCESS)
> > pywintypes.error: (1722, 'LsaOpenPolicy', 'The RPC server is unavailable.')
> >
> > I've tried this on a couple of machines, and it's the same on each.
> >
> > Now, if that user opens up admin tools, then local security, then user
> > rights, he can give himself this right.  So it's not a privilege problem;
> > I'm just not doing it right in Python.
> 
> Notice that the failure here is in LsaOpenPolicy, not in
> LsaAddAccountRight.  Your code as you have it is trying to modify the
> DOMAIN policy to add the service logon right.  I THINK what you really
> want is to add the service logon right ON the local machine FOR this
> domain account.  You don't want to modify the domain.  To do that, I
> think you want to specify None as the first parameter to LsaOpenPolicy.
> 
> However, I admit that NT security is a twisty maze of little passages,
> all different, so it's quite possible this is just a wrong turn.

Thanks, Tim.  That seems reasonable to me; I'll give it a shot.

Bill

More information about the python-win32 mailing list