user without password can be impersonated only if they are in admin group

Question

The goal is to have a service create a process which has the security context of a user whose password is not known. I understand and accept the limitation that the new process will only be able to access local resources

I think I am close to a solution. Everything works fine so long as the user to be impersonated is in the local administrators group. But if not I get an exception 0xc06d007e. It seems the user to be impersonated lacks some permission or privilege that it has when it is in the administrators group. But how can I find out what this missing right/permission/privilege is without by trial and error going through the thousands of permutations

get a token for the user to  be impersonated 
token = new WindowsIdentity("username@domain").Token
create a primary token
token2 = duplicatetokenex(token)

The process to be created is a simple console application and indeed I don't even need a console.

process_creation_flags.DETACHED_PROCESS
| process_creation_flags.CREATE_NO_WINDOW
| process_creation_flags.CREATE_NEW_PROCESS_GROUP

try to start the new process as the impersonated user

createprocessasuser(token2, "myapplication.exe" etc etc)`

As I say this works fine if username@domain is in the local admin group otherwise I get exception 0xc06d007e I think when the new process is trying to start

Answer 1

As one of the steps towards creating the service, I was running the code as a console application and it was during that stage I was getting the exception mentioned above.

But I found that running the code as a service works fine!!

So I never found out why the user-to-be-impersonated (impersonatee?) needs to be in the local admin group when the impersonation is done from a console application. I suspect it is something to do with sessions and / or desktops.

I have not found many discussions where the scenario is impersonating a user whose password you do not know. So I just want to re-assure anyone having problems that it is indeed possible and the main points are: 1) run the code as a service (with local system or a user with all the required privileges) 2) get the s4u token from windowsidentity (this will be an impersonation token if the call has the required privileges) 3) create a primary token from the impersonation token using duplicatetokenex 4) createprocessasuser using the token from 3

note the process will only have access to local resources