Hello:
Ok, let's start at the beginning. The user who will be running the script
needs to have the following four privileges:
Act as part of the OS
Bypass traverse checking (this is usually a default privilege)
Increase quotas
Replace a process level token
Note that these privileges ARE for the person who will be running the script;
NOT the person you are trying to impersonate. The person you end of
impersonating ("$UserID, $UserPassword", in your example below) does not need
these privileges, for purposes of the LogonAsUser function, that is.
After you make the call to LogonAsUser, make a call to
Win32::AdminMisc::GetLogonName to check if the impersonation succeeded. If it
did not succeed, get the last error and print it out to see what it says; do
something like this:
print Win32::FormatMessage(Win32::GetLastError());
You might also want to print out the regular Perl error with $!. Anyway, give
that a shot, and if it doesn't work, then let me know what error was produced.
Good luck.
Dean Theophilou
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
DePriest, Jason R.
Sent: Wednesday, January 16, 2002 7:03 AM
To: 'Dean Theophilou'; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
Subject: RE: Win32::Adminmisc
I have tried LOGON32_LOGON_BATH and LOGON32_LOGON_INTERACTIVE with the same
results.
There must be something else we are overlooking.
The system I am running the script on is a Windows NT 4.0 Server, Enterprise
Edition member server of a Windows NT domain. The account I am trying to
run the script as is in that Windows NT domain.
The account has been made a member of the local administrator's group the
server as well as a domain administrator on the domain.
The account has also been individually assigned the rights that were
detailed in previous emails to/from this list.
Does that help any?
-Jason
> -----Original Message-----
> From: Dean Theophilou [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 15, 2002 06:11 PM
> To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
> How about trying LOGON32_LOGON_INTERACTIVE as the fourth parameter of the
> LogonAsUser function? This is what I use, so I know it works.
>
> Dean Theophilou
>
>
> -----Original Message-----
> From: DePriest, Jason R. [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 15, 2002 12:28 PM
> To: 'Dean Theophilou'; DePriest, Jason R.; 'Ailes, Kevin';
> Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
>
> My biggest problem is this:
>
> <script>
> Win32::AdminMisc::LogonAsUser($Domain,$UserID,$UserPassword,LOGON32_LOGON_
> SERVICE);
> $WhoAmI = Win32::AdminMisc::GetLogonName();
> </script>
>
> $WhoAmI is invariably listed as the currently logged in user, whether
> myself or "SYSTEM" when run as a scheduled task.
>
> The $UserID has been granted each right that you listed as the rights it
> ~must~ have to work correctly.
>
> -Jason
>
> -----Original Message-----
> From: Dean Theophilou [ <mailto:[EMAIL PROTECTED]>]
> Sent: Tuesday, January 15, 2002 02:14 PM
> To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
>
> Subject: RE: Win32::Adminmisc
>
> My suggestion is to keep the standard privileges for the Admin group and
> the four required for the logonasuser function. The four required for the
> function are:
>
>
> 1) Bypass traverse checking
> 2) Act as part of the OS
> 3) Increase quotas
> 4) Replace a process level token
>
>
> Dean Theophilou
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [
> <mailto:[EMAIL PROTECTED]>]On Behalf Of
> DePriest, Jason R.
>
> Sent: Tuesday, January 15, 2002 12:04 PM
> To: 'Dean Theophilou'; DePriest, Jason R.; 'Ailes, Kevin';
> Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
>
> I cannot speak for anyone else who has had this problem, but, yes the
> account was made a member of the local administrators and domain
> administrators group.
>
> I also added the following rights to the particular account:
> Act as part of the operating system,
> Bypass traverse checking (even though this was already granted to a group
> it was in),
> Increase Quotas,
> Log on as a batch job,
> Log on as a service,
> Log on locally (even though this was already granted to a group it was
> in), and
> Replace a process level token.
>
> The problem still remained.
>
> -Jason
>
> -----Original Message-----
> From: Dean Theophilou [ < <mailto:[EMAIL PROTECTED]>>]
> Sent: Tuesday, January 15, 2002 01:10 PM
> To: DePriest, Jason R.; 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
> Hello:
>
> Did you set the privileges required for the user you want to log
> on as? For
> example, if you are logged on as "Fred", and you want to switch to
> "Wilma", then
> Wilma must have the four privileges listed on p. 228 of Win32 Perl
> Scripting:
> The Administrator's Handbook, by Dave Roth.
>
>
> Dean Theophilou
> Genisar
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [ < <mailto:[EMAIL PROTECTED]>>]On Behalf Of
>
> DePriest, Jason R.
> Sent: Tuesday, January 15, 2002 9:50 AM
> To: 'Ailes, Kevin'; Perl-win32-admin list (E-mail)
> Subject: RE: Win32::Adminmisc
>
>
> I am one of the people who have had the same problem.
>
> It seems like, after logging on as the specified user, the script forgets
> who it is logged in as and tries to run as SYSTEM or whatever...
>
> I was thinking that you might have to use
> Win32::AdminMisc::CreateProcessAsUser along with
> Win32::AdminMisc::LogonAsUser, but I didn't have the time nor the patience
>
> to try and figure out Win32::AdminMisc::CreateProcessAsUser.
>
> For my project, instead of creating a service like I was originally
> planning
> on, I used cygwin + cron to schedule the task and let cron run it in its
> heightened context instead.
>
> -Jason
>
> -----Original Message-----
> From: Ailes, Kevin [ < <mailto:[EMAIL PROTECTED]>>]
> Sent: Tuesday, January 15, 2002 11:47 AM
> To: Perl-win32-admin list (E-mail)
> Subject: Win32::Adminmisc
>
>
> I now realize that I need to set up the user account that the apache web
> service runs under to have some advanced capabilities or use the
> Win32::Adminmisc module to logon as a different user.(impersonate a user
> with advanced privelages)
>
> Unfortunately for me, I can not get the logonasuser method to function
> properly.
>
> I searched Dave Roth's web site for instructions. I found and set the
> privelages for the apache web user account according to the faq.
> No luck.
>
> I searched the usenet groups from google and found many references to the
> same problem I am having, however there were no answers other than to set
> the privelages on the user account.(which I have done.) I even restarted
> the web server service. I haven't tried restarting the machine.....yet.
>
> I searched the Adminmisc newsgroup hosted by Dave's site. There were many
>
> un-answered questions regarding the logonasuser method failing in a
> similar
> manner to what I have described.
>
> Am I missing something here?
>
> Kevin Ailes
> Administrator
> OTTO Engineering
>
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> < <http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin>>
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> < <http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin>>
>
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
