In Windows Vista and later, LogonUser returns a non-privileged token, even if the user provided is an administrator. Thus, when you impersonate using that token, you are non-elevated. Given a correct username and password for an administrator user, how do you run code that has elevated privileges for that administrator?
Asked
Active
Viewed 661 times
6
Mark Raymond
- 906
- 8
- 22
-
Are you wanting to impersonate an AD account, or a local account? – Botonomous Sep 27 '13 at 12:28
-
1Active Directory, primarily - though if it works for local as well that would be great! – Mark Raymond Sep 27 '13 at 12:47
2 Answers
1
I just worked with this example, It actually works fine. I guess if you want to run code in this context you'll have to set the current thread principal by:
Thread.CurrentPrincipal = new System.Security.Principal.WindowsPrincipal(WindowsIdentity.GetCurrent());
0
If you are writing a Windows service, using LOGON32_LOGON_SERVICE instead of LOGON32_LOGON_INTERACTIVE or LOGON32_LOGON_NEW_CREDENTIALS will result in a privileged token, as long as the user you want to impersonate has 'log on as a service' permissions.
This doesn't provide a general solution (it won't work if you're writing a user-facing application), but is sufficient to solve the specific problem I had.
Mark Raymond
- 906
- 8
- 22