如何在Windows NT中以编程方式管理用户权限
来源:互联网 发布:java适配器模式例子 编辑:程序博客网 时间:2024/05/22 16:35
https://support.microsoft.com/zh-cn/help/132958/how-to-manage-user-privileges-programmatically-in-windows-nt
概要
在Windows NT中,权限用于提供与自由访问控制不同的访问控制手段。系统管理员使用权限来控制哪些用户/组能够操纵系统的各个方面。应用程序可能会在更改系统资源(如系统时间)或关闭系统时使用权限。
用户管理器工具可用于授予和撤销帐户的权限。
Windows NT 3.51提供的功能允许开发人员以编程方式管理特权。此功能通过LSA(本地安全机构)提供。
从LSA中受益的应用程序的一个例子是服务安装程序。如果服务配置为在用户帐户下运行,则该帐户有必要具有SeServiceLogonRight“登录即服务”权限。本文讨论如何利用LSA来授予和撤销用户和组的权限。
用户管理器工具可用于授予和撤销帐户的权限。
Windows NT 3.51提供的功能允许开发人员以编程方式管理特权。此功能通过LSA(本地安全机构)提供。
从LSA中受益的应用程序的一个例子是服务安装程序。如果服务配置为在用户帐户下运行,则该帐户有必要具有SeServiceLogonRight“登录即服务”权限。本文讨论如何利用LSA来授予和撤销用户和组的权限。
更多信息
管理用户权限可以使用以下步骤以编程方式实现:
LSA API LsaEnumerateAccountRights()可用于确定已授予某个帐户的特权。
LSA API LsaEnumerateAccountsWithUserRight()可用于确定哪些帐户已被授予指定的权限。
这些LSA API的文档和头文件在Windows 32 SDK的MSTOOLS \ SECURITY目录中提供。
在最新版本的Win32 SDK中,标题出现在mstools \ samples \ win32 \ winnt \ security \ include目录中,文档位于.... \ security \ lsasamp \ lsaapi.hlp中。
注意:这些LSA API目前仅作为Unicode实现。
此示例将授予SeServiceLogonRight权限到argv [1]上指定的帐户。
这个示例依赖于这些导入库
- 用LsaOpenPolicy()打开目标机器上的策略。要授予权限,请使用POLICY_CREATE_ACCOUNT和POLICY_LOOKUP_NAMES权限打开策略。要撤消权限,请打开POLICY_LOOKUP_NAMES权限的政策。
- 获取表示感兴趣的用户/组的SID(安全标识符)。LookupAccountName()和LsaLookupNames()API可以从帐户名称获取SID。
- 调用LsaAddAccountRights()将权限授予由提供的SID表示的用户。
- 调用LsaRemoveAccountRights()从所提供SID代表的用户中撤销权限。
- 用LsaClose()关闭策略。
LSA API LsaEnumerateAccountRights()可用于确定已授予某个帐户的特权。
LSA API LsaEnumerateAccountsWithUserRight()可用于确定哪些帐户已被授予指定的权限。
这些LSA API的文档和头文件在Windows 32 SDK的MSTOOLS \ SECURITY目录中提供。
在最新版本的Win32 SDK中,标题出现在mstools \ samples \ win32 \ winnt \ security \ include目录中,文档位于.... \ security \ lsasamp \ lsaapi.hlp中。
注意:这些LSA API目前仅作为Unicode实现。
此示例将授予SeServiceLogonRight权限到argv [1]上指定的帐户。
这个示例依赖于这些导入库
advapi32.lib(用于LsaXxx)
user32.lib(用于wsprintf)
这个示例将正确编译ANSI或Unicode。user32.lib(用于wsprintf)
示例代码
/*++
You can use domain\account as argv[1]. For instance, mydomain\scott will
grant the privilege to the mydomain domain account scott.
The optional target machine is specified as argv[2], otherwise, the
account database is updated on the local machine.
The LSA APIs used by this sample are Unicode only.
Use LsaRemoveAccountRights() to remove account rights.
Scott Field (sfield) 12-Jul-95
--*/
#ifndef UNICODE
#define UNICODE
#endif // UNICODE
#include <windows.h>
#include <stdio.h>
#include "ntsecapi.h"
NTSTATUS
OpenPolicy(
LPWSTR ServerName, // machine to open policy on (Unicode)
DWORD DesiredAccess, // desired access to policy
PLSA_HANDLE PolicyHandle // resultant policy handle
);
BOOL
GetAccountSid(
LPTSTR SystemName, // where to lookup account
LPTSTR AccountName, // account of interest
PSID *Sid // resultant buffer containing SID
);
NTSTATUS
SetPrivilegeOnAccount(
LSA_HANDLE PolicyHandle, // open policy handle
PSID AccountSid, // SID to grant privilege to
LPWSTR PrivilegeName, // privilege to grant (Unicode)
BOOL bEnable // enable or disable
);
void
InitLsaString(
PLSA_UNICODE_STRING LsaString, // destination
LPWSTR String // source (Unicode)
);
void
DisplayNtStatus(
LPSTR szAPI, // pointer to function name (ANSI)
NTSTATUS Status // NTSTATUS error value
);
void
DisplayWinError(
LPSTR szAPI, // pointer to function name (ANSI)
DWORD WinError // DWORD WinError
);
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
//
// If you have the ddk, include ntstatus.h.
//
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
int _cdecl
main(int argc, char *argv[])
{
LSA_HANDLE PolicyHandle;
WCHAR wComputerName[256]=L""; // static machine name buffer
TCHAR AccountName[256]; // static account name buffer
PSID pSid;
NTSTATUS Status;
int iRetVal=RTN_ERROR; // assume error from main
if(argc == 1)
{
fprintf(stderr,"Usage: %s <Account> [TargetMachine]\n",
argv[0]);
return RTN_USAGE;
}
//
// Pick up account name on argv[1].
// Assumes source is ANSI. Resultant string is ANSI or Unicode
//
wsprintf(AccountName, TEXT("%hS"), argv[1]);
//
// Pick up machine name on argv[2], if appropriate
// assumes source is ANSI. Resultant string is Unicode.
//
if(argc == 3) wsprintfW(wComputerName, L"%hS", argv[2]);
//
// Open the policy on the target machine.
//
if((Status=OpenPolicy(
wComputerName, // target machine
POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES,
&PolicyHandle // resultant policy handle
)) != STATUS_SUCCESS) {
DisplayNtStatus("OpenPolicy", Status);
return RTN_ERROR;
}
//
// Obtain the SID of the user/group.
// Note that we could target a specific machine, but we don't.
// Specifying NULL for target machine searches for the SID in the
// following order: well-known, Built-in and local, primary domain,
// trusted domains.
//
if(GetAccountSid(
NULL, // default lookup logic
AccountName,// account to obtain SID
&pSid // buffer to allocate to contain resultant SID
)) {
//
// We only grant the privilege if we succeeded in obtaining the
// SID. We can actually add SIDs which cannot be looked up, but
// looking up the SID is a good sanity check which is suitable for
// most cases.
//
// Grant the SeServiceLogonRight to users represented by pSid.
//
if((Status=SetPrivilegeOnAccount(
PolicyHandle, // policy handle
pSid, // SID to grant privilege
L"SeServiceLogonRight", // Unicode privilege
TRUE // enable the privilege
)) == STATUS_SUCCESS)
iRetVal=RTN_OK;
else
DisplayNtStatus("AddUserRightToAccount", Status);
}
else {
//
// Error obtaining SID.
//
DisplayWinError("GetAccountSid", GetLastError());
}
//
// Close the policy handle.
//
LsaClose(PolicyHandle);
//
// Free memory allocated for SID.
//
if(pSid != NULL) HeapFree(GetProcessHeap(), 0, pSid);
return iRetVal;
}
void
InitLsaString(
PLSA_UNICODE_STRING LsaString,
LPWSTR String
)
{
DWORD StringLength;
if (String == NULL) {
LsaString->Buffer = NULL;
LsaString->Length = 0;
LsaString->MaximumLength = 0;
return;
}
StringLength = wcslen(String);
LsaString->Buffer = String;
LsaString->Length = (USHORT) StringLength * sizeof(WCHAR);
LsaString->MaximumLength=(USHORT)(StringLength+1) * sizeof(WCHAR);
}
NTSTATUS
OpenPolicy(
LPWSTR ServerName,
DWORD DesiredAccess,
PLSA_HANDLE PolicyHandle
)
{
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
LSA_UNICODE_STRING ServerString;
PLSA_UNICODE_STRING Server = NULL;
//
// Always initialize the object attributes to all zeroes.
//
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
if (ServerName != NULL) {
//
// Make a LSA_UNICODE_STRING out of the LPWSTR passed in
//
InitLsaString(&ServerString, ServerName);
Server = &ServerString;
}
//
// Attempt to open the policy.
//
return LsaOpenPolicy(
Server,
&ObjectAttributes,
DesiredAccess,
PolicyHandle
);
}
/*++
This function attempts to obtain a SID representing the supplied
account on the supplied system.
If the function succeeds, the return value is TRUE. A buffer is
allocated which contains the SID representing the supplied account.
This buffer should be freed when it is no longer needed by calling
HeapFree(GetProcessHeap(), 0, buffer)
If the function fails, the return value is FALSE. Call GetLastError()
to obtain extended error information.
Scott Field (sfield) 12-Jul-95
--*/
BOOL
GetAccountSid(
LPTSTR SystemName,
LPTSTR AccountName,
PSID *Sid
)
{
LPTSTR ReferencedDomain=NULL;
DWORD cbSid=128; // initial allocation attempt
DWORD cchReferencedDomain=16; // initial allocation size
SID_NAME_USE peUse;
BOOL bSuccess=FALSE; // assume this function will fail
__try {
//
// initial memory allocations
//
if((*Sid=HeapAlloc(
GetProcessHeap(),
0,
cbSid
)) == NULL) __leave;
if((ReferencedDomain=(LPTSTR)HeapAlloc(
GetProcessHeap(),
0,
cchReferencedDomain * sizeof(TCHAR)
)) == NULL) __leave;
//
// Obtain the SID of the specified account on the specified system.
//
while(!LookupAccountName(
SystemName, // machine to lookup account on
AccountName, // account to lookup
*Sid, // SID of interest
&cbSid, // size of SID
ReferencedDomain, // domain account was found on
&cchReferencedDomain,
&peUse
)) {
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
//
// reallocate memory
//
if((*Sid=HeapReAlloc(
GetProcessHeap(),
0,
*Sid,
cbSid
)) == NULL) __leave;
if((ReferencedDomain=(LPTSTR)HeapReAlloc(
GetProcessHeap(),
0,
ReferencedDomain,
cchReferencedDomain * sizeof(TCHAR)
)) == NULL) __leave;
}
else __leave;
}
//
// Indicate success.
//
bSuccess=TRUE;
} // finally
__finally {
//
// Cleanup and indicate failure, if appropriate.
//
HeapFree(GetProcessHeap(), 0, ReferencedDomain);
if(!bSuccess) {
if(*Sid != NULL) {
HeapFree(GetProcessHeap(), 0, *Sid);
*Sid = NULL;
}
}
} // finally
return bSuccess;
}
NTSTATUS
SetPrivilegeOnAccount(
LSA_HANDLE PolicyHandle, // open policy handle
PSID AccountSid, // SID to grant privilege to
LPWSTR PrivilegeName, // privilege to grant (Unicode)
BOOL bEnable // enable or disable
)
{
LSA_UNICODE_STRING PrivilegeString;
//
// Create a LSA_UNICODE_STRING for the privilege name.
//
InitLsaString(&PrivilegeString, PrivilegeName);
//
// grant or revoke the privilege, accordingly
//
if(bEnable) {
return LsaAddAccountRights(
PolicyHandle, // open policy handle
AccountSid, // target SID
&PrivilegeString, // privileges
1 // privilege count
);
}
else {
return LsaRemoveAccountRights(
PolicyHandle, // open policy handle
AccountSid, // target SID
FALSE, // do not disable all rights
&PrivilegeString, // privileges
1 // privilege count
);
}
}
void
DisplayNtStatus(
LPSTR szAPI,
NTSTATUS Status
)
{
//
// Convert the NTSTATUS to Winerror. Then call DisplayWinError().
//
DisplayWinError(szAPI, LsaNtStatusToWinError(Status));
}
void
DisplayWinError(
LPSTR szAPI,
DWORD WinError
)
{
LPSTR MessageBuffer;
DWORD dwBufferLength;
//
// TODO: Get this fprintf out of here!
//
fprintf(stderr,"%s error!\n", szAPI);
if(dwBufferLength=FormatMessageA(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
WinError,
GetUserDefaultLangID(),
(LPSTR) &MessageBuffer,
0,
NULL
))
{
DWORD dwBytesWritten; // unused
//
// Output message string on stderr.
//
WriteFile(
GetStdHandle(STD_ERROR_HANDLE),
MessageBuffer,
dwBufferLength,
&dwBytesWritten,
NULL
);
//
// Free the buffer allocated by the system.
//
LocalFree(MessageBuffer);
}
}
/*++
This function enables system access on the account represented by the
supplied SID. An example of such access is the SeLogonServiceRight.
Note: to disable a given system access, simply remove the supplied
access flag from the existing flag, and apply the result to the
account.
If the function succeeds, the return value is STATUS_SUCCESS.
If the function fails, the return value is an NTSTATUS value.
Scott Field (sfield) 14-Jul-95
--*/
NTSTATUS
AddSystemAccessToAccount(
LSA_HANDLE PolicyHandle,
PSID AccountSid,
ULONG NewAccess
)
{
LSA_HANDLE AccountHandle;
ULONG PreviousAccess;
NTSTATUS Status;
//
// open the account object. If it doesn't exist, create a new one
//
if((Status=LsaOpenAccount(
PolicyHandle,
AccountSid,
ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW,
&AccountHandle
)) == STATUS_OBJECT_NAME_NOT_FOUND)
{
Status=LsaCreateAccount(
PolicyHandle,
AccountSid,
ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW,
&AccountHandle
);
}
//
// if an error occurred opening or creating, return
//
if(Status != STATUS_SUCCESS) return Status;
//
// obtain current system access flags
//
if((Status=LsaGetSystemAccessAccount(
AccountHandle,
&PreviousAccess
)) == STATUS_SUCCESS)
{
//
// Add the specified access to the account
//
Status=LsaSetSystemAccessAccount(
AccountHandle,
PreviousAccess | NewAccess
);
}
LsaClose(AccountHandle);
return Status;
}
/*++
This function grants a privilege to the account represented by the
supplied SID. An example of such a privilege is the
SeBackupPrivilege.
Note: To revoke a privilege, use LsaRemovePrivilegesFromAccount.
If the function succeeds, the return value is STATUS_SUCCESS.
If the function fails, the return value is an NTSTATUS value.
Scott Field (sfield) 13-Jul-95
--*/
NTSTATUS
AddPrivilegeToAccount(
LSA_HANDLE PolicyHandle,
PSID AccountSid,
LPWSTR PrivilegeName
)
{
PRIVILEGE_SET ps;
LUID_AND_ATTRIBUTES luidattr;
LSA_HANDLE AccountHandle;
LSA_UNICODE_STRING PrivilegeString;
NTSTATUS Status;
//
// Create a LSA_UNICODE_STRING for the privilege name
//
InitLsaString(&PrivilegeString, PrivilegeName);
//
// obtain the LUID of the supplied privilege
//
if((Status=LsaLookupPrivilegeValue(
PolicyHandle,
&PrivilegeString,
&luidattr.Luid
)) != STATUS_SUCCESS) return Status;
//
// setup PRIVILEGE_SET
//
luidattr.Attributes=0;
ps.PrivilegeCount=1;
ps.Control=0;
ps.Privilege[0]=luidattr;
//
// open the account object if it doesn't exist, create a new one
//
if((Status=LsaOpenAccount(
PolicyHandle,
AccountSid,
ACCOUNT_ADJUST_PRIVILEGES,
&AccountHandle
)) == STATUS_OBJECT_NAME_NOT_FOUND)
{
Status=LsaCreateAccount(
PolicyHandle,
AccountSid,
ACCOUNT_ADJUST_PRIVILEGES,
&AccountHandle
);
}
//
// if an error occurred opening or creating, return
//
if(Status != STATUS_SUCCESS) return Status;
//
// add the privileges to the account
//
Status=LsaAddPrivilegesToAccount(
AccountHandle,
&ps
);
LsaClose(AccountHandle);
return Status;
}阅读全文
0 0
- 如何在Windows NT中以编程方式管理用户权限
- 如何在Windows NT中隐藏自己
- 如何在Windows NT中隐藏自己[转]
- 如何在Windows NT中隐藏自己[转]
- 如何:以编程方式在 AdRotator Web 服务器控件中选择广告
- 如何在 VB 中以编程方式创建并调用 Excel 宏
- 在 Windows Server 2003、Windows 2000 和 Windows NT 中配置页面文件以进行优化和恢复
- java中如何以windows集成方式连接SQL Server
- 如何以编程方式实现UpdatePanel中Triggers的添加
- Android中如何以编程方式(programmatically)载入 NinePatch 图片
- 在ASP.NET中以编程方式设置母版页
- 如何在评论中以超链接的方式放置链接
- 如何在 Internet Explorer 中以编程方式更改 Internet Explorer 和 WebBrowser 控件的打印设置
- windows核心编程-用户权限
- 如何编程获取Windows NT的性能数据
- 如何在Windows NT 4.0上安装Apache+Servlet+jsp
- 对《Windows 9x/NT下以Apache的模块方式安装PHP4》的补充
- 如何在运行 Windows XP Service Pack 2 的系统上使用脚本以编程方式打开端口供 SQL Server 使用
- vue全局组件与局部组件的方法
- 【Scikit-Learn 中文文档】集成方法
- KD树算法
- 《编程之美》1.3一摞烙饼的排序
- [poj]P2386 宽搜模板-lake counting
- 如何在Windows NT中以编程方式管理用户权限
- MySQL解压版配置
- 【Scikit-Learn 中文文档】多类和多标签算法
- HTML <input> 标签的 accept 属性
- leetCode-Image Smoother
- 1063. 计算谱半径(20)
- 【Scikit-Learn 中文文档】特征选择
- dftfilt函数
- Struts2标签库整理
