I'm writing a remote administration tool that can grant and revoke admin rights to users on other machines in the network.
I have this configuration:
- A remote machine (machine1) with two administrative users:
- A local admin: adminA
- A domain user with administrative rights: domA.com\adminB
- A machine (machine2) running the admin tool, running user is not from the domA.com domain
- A domain user, domA\adminC which currently isn't an admin on machine1
I wish to grant admin rights for the domA.com\adminC user, given the credentials to a local admin user on the remote machine.
During the process, I can impersonate the local admin on the remote machine using the token from advapi32.dll LogonUser method. In the impersonated context I'm able to use DirectoryEntry to find the remote machine's administrator group (using Sid). From there I can Invoke the Add/Remove action to add or remove the domain user using the path WinNT://domA.com/adminC.
Again - this works with an impersonated local admin on the remote machine, not a domA.com user.
If, however, I want to use PrincipalContext, GroupPrincipal and UserPrincipal to query this domain user permissions, add or remove it from the remote admin group - I'm unable to do so: I cannot start a Domain PrincipalContext without a domain user, as I'm using the local user, so I cannot get its UserPrincipal to add the admin GroupPrincipal.
This is inline with the Windows behavior - if I log on via RDP to the remote machine with the local admin, and attempt to add a domain account to its admin group, I need to provide domain credentials.
Is there a way to use PrincipalContext to add a domain user without specifying a domain user's credentials, the way that DirectoryEntry allows?
