Discussion:
Impersonating from a non admin user account
(too old to reply)
pradeep
2007-07-31 12:34:01 UTC
Permalink
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD

How do I elevate the privilege of process so that it performs the
Impersonation?

Code:
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}

memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;

****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));

if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));

I also tried using API's:
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.

Basically how do i Impersonate another user from a non-admin account?

Thankyou
Kellie Fitton
2007-07-31 14:31:01 UTC
Permalink
Post by pradeep
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD
How do I elevate the privilege of process so that it performs the
Impersonation?
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}
memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;
****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));
if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.
Basically how do i Impersonate another user from a non-admin account?
Thankyou
Hi,

You can use the following APIs to impersonate another user:

LogonUserEx()
ImpersonateLoggedOnUser()
GetUserProfileDirectory()
LoadUserProfile()

................................................................

UnloadUserProfile()

http://msdn2.microsoft.com/En-US/library/aa378189.aspx

http://msdn2.microsoft.com/en-US/library/aa378612.aspx

http://msdn2.microsoft.com/en-us/library/aa373772.aspx

http://msdn2.microsoft.com/En-US/library/aa374341.aspx

http://msdn2.microsoft.com/en-US/library/aa375098.aspx

Kellie.
Gautam Raj Kollabathula
2011-01-13 18:53:43 UTC
Permalink
can anyone send me the code to impersonate an non-admin.
i used the code

public class Utility
{

[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;

static WindowsImpersonationContext impersonationContext;//impersonation starts here
public static bool impersonateValidUser(String username, String domain, String password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;

if (RevertToSelf())
{
if (LogonUserA(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}

public static void undoImpersonation()
{
impersonationContext.Undo();
} //impersonation ends here.
}



But this can only be used for the user with the admin rights in the domain. Well is there any way i can actually do it for non-admins....
Post by pradeep
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD
How do I elevate the privilege of process so that it performs the
Impersonation?
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}
memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;
****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));
if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.
Basically how do i Impersonate another user from a non-admin account?
Thankyou
Post by Kellie Fitton
Hi,
LogonUserEx()
ImpersonateLoggedOnUser()
GetUserProfileDirectory()
LoadUserProfile()
................................................................
UnloadUserProfile()
http://msdn2.microsoft.com/En-US/library/aa378189.aspx
http://msdn2.microsoft.com/en-US/library/aa378612.aspx
http://msdn2.microsoft.com/en-us/library/aa373772.aspx
http://msdn2.microsoft.com/En-US/library/aa374341.aspx
http://msdn2.microsoft.com/en-US/library/aa375098.aspx
Kellie.
Post by Stefan Kuhr
Hello Pradeep,
Have you tried reverting the order of your LoadUserProfile and
ImpsersonateLoggedOnUser calls?
--
Stefan
Post by Johannes Passing
MSDN says 'The calling process must have the SE_RESTORE_NAME and
SE_BACKUP_NAME privileges'. Have you made sure the impersonated user
actually holds these two privileges and that they are enabled?
--Johannes
--
Johannes Passing - http://int3.de/
Post by Jos Scherders
Hi,
I asked a similar question a while ago and the responds I got was that you
really need to be an Administrator. So I don't think you will be able to get
this to work. Btw. I also tried everything I could think off to make this
work and I was unsuccessfull (In fact, even inpersonating
a Admin account doesn't work.)
I you do find a solution I would be veru interested in hearing how you got
it working. :)
Jos.
Submitted via EggHeadCafe
SharePoint Status Bar Access Via Client Side API
http://www.eggheadcafe.com/tutorials/aspnet/4bc37d0d-4e04-4202-9828-c6b717744989/sharepoint-status-bar-access-via-client-side-api.aspx
Stefan Kuhr
2007-07-31 15:38:20 UTC
Permalink
Hello Pradeep,
Post by pradeep
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD
How do I elevate the privilege of process so that it performs the
Impersonation?
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}
memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;
****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));
if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.
Basically how do i Impersonate another user from a non-admin account?
Have you tried reverting the order of your LoadUserProfile and
ImpsersonateLoggedOnUser calls?
--
Stefan
Johannes Passing
2007-07-31 18:14:57 UTC
Permalink
MSDN says 'The calling process must have the SE_RESTORE_NAME and
SE_BACKUP_NAME privileges'. Have you made sure the impersonated user
actually holds these two privileges and that they are enabled?

--Johannes
Post by pradeep
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD
How do I elevate the privilege of process so that it performs the
Impersonation?
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}
memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;
****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));
if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.
Basically how do i Impersonate another user from a non-admin account?
Thankyou
--
Johannes Passing - http://int3.de/
Jos Scherders
2007-08-05 20:52:43 UTC
Permalink
Hi,

I asked a similar question a while ago and the responds I got was that you
really need to be an Administrator. So I don't think you will be able to get
this to work. Btw. I also tried everything I could think off to make this
work and I was unsuccessfull (In fact, even inpersonating
a Admin account doesn't work.)

I you do find a solution I would be veru interested in hearing how you got
it working. :)

Jos.
Post by pradeep
I am trying to impersonate another user from a non admin account, but my code
fails at 'LoadUserProfile' giving error 1314 : ERROR_PRIVILEGE_NOT_HELD
How do I elevate the privilege of process so that it performs the
Impersonation?
if(!LogonUser(ui.userName,
pDomain,
ui.userPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&tmpToken))
{
return FALSE;
}
memset (&pInfo, 0, sizeof (pInfo));
pInfo.dwSize = sizeof (pInfo);
pInfo.dwFlags = PI_NOUI;
_tcscpy (tmpBuf, (LPCTSTR)ui.userName);
pInfo.lpUserName = tmpBuf;
****This is where it fails,//same code works for admin account
if(!LoadUserProfile (tmpToken, &pInfo))
AfxMessageBox(_T("LoadUserProfile failed"));
if(!ImpersonateLoggedOnUser(tmpToken))
AfxMessageBox(_T("ImpersonateLoggedOnUser failed"));
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges (I there any API to add a privilege)
But I think this is to adjust already existing privileges.
Basically how do i Impersonate another user from a non-admin account?
Thankyou
Loading...