天道酬勤,学无止境

local-security-authority

How do I correctly call LsaLogonUser for an interactive logon?

I'm trying to use LsaLogonUser to create an interactive logon session, but it always returns STATUS_INVALID_INFO_CLASS (0xc0000003). From what I have found in searching online, the memory layout of the KERB_INTERACTIVE_LOGON structure is tricky, but I'm pretty sure I've done that right. I've also tried using MSV1.0 instead of Kerberos, with MSV1_0_INTERACTIVE_LOGON for the authentication structure and MSV1_0_PACKAGE_NAME as the package name, but that fails with STATUS_BAD_VALIDATION_CLASS (0xc00000a7). Can anyone tell what I'm doing wrong here? Here's the code, with most of the error handling

2021-06-09 23:22:03    分类:问答    windows   windows-security   local-security-authority

如何以编程方式确定用户帐户是否是Windows中特定组的成员?(How to programmatically figure out if a user account is a member of a particular group in Windows?)

问题 给定一个组名和一个用户帐户,我想知道所提供的用户是否属于一个特定的组。 该用户可以是本地用户或域用户,而该组可以是本地组或域组,并且该组也可以嵌套在其他组中。 简而言之,我正在寻找像bool IsUserMemberOf(User, Group)这样的函数,该函数将在内部调用适当的Win32 API进行搜索。 我想进行上述查询的过程应具有查询本地和AD组的必要特权。 我想在企业管理员帐户下运行该进程应该可以执行查询林中任何DC的工作,但对于不属于域的计算机可能不起作用。 关于应使用哪种帐户执行此查询过程的任何想法,以便它可以查询LSA和AD? 回答1 您需要阅读GetTokenInformation(TOKEN_USER),AllocateAndInitializeSid和CheckTokenMemberShip。 回答2 UserPrincipal.IsMemberOf(GroupPrincipal)“返回一个布尔值,该值指定委托人是否为指定组的成员”。 回答3 Magnus是正确的,您必须使用CheckTokenMembership 您可以在UnlockPolicy.c中找到一个示例(在此处下载完整的源代码),该函数ShouldUnlockForUser和UsagerEstDansGroupe (对不起,我的法语;)。 这是它的胆量: HRESULT

2021-04-19 12:02:04    分类:技术分享    windows   security   winapi   active-directory   local-security-authority

How to programmatically figure out if a user account is a member of a particular group in Windows?

Given a group name and a user account, I would like to know if the supplied user belongs to a particular group. The user can be a local user or a domain user and the group could be a local group or a domain group and the group could also be nested inside other groups. In short I am looking for a function like bool IsUserMemberOf(User, Group) that will internally call the appropriate Win32 APIs to do the search. I guess the process making the above query should have the necessary privileges to query local and AD groups. I guess runing the process under enterprise admin account should do the job

2021-04-16 11:12:07    分类:问答    windows   security   winapi   active-directory   local-security-authority