[Not Resolved] Local Security Settings
Hmm... about 2 weeks ago i posted a problem when trying to change a setting in the Local Security Settings.
The thread can be found Here.
So far i have tried everything to be able to edit it.
I've even downloaded RegMon and watched the registry hoping to find the registry setting that was changed when the Security Policy was applied.
But to no success =(.
I pretty much want to add "Interactive" to "Administrative Tools \ Local Security Settings > Security Settings \ Local Policies \ User Rights Assignment. > Force shutdown from a remote system"
I have tried using WMI, but then i'd have to download and install it onto every computer that i wanted to run this program from.
Is there any other way to change the Local Security Policy?
Re: Local Security Settings
Like I had posted in the other thread, not all settings are registry settings for GPOs. WMI is on systems unless the net admin has a GPO disabling it. If you are going to be distributing your app then it shouldnt be much of an issue to ad WMI.
Re: Local Security Settings
Yeah, i believed you, but i decided to check any way.
To be honest with you. I don't know much about WMI, I learn as i go, i thought it was some SDK download from windows (saw something like this when i was searching for stuff about it), but i was wrong. It's already on all machines. Saw it when i was messing around with the admin accounts on the LAN also. Nahh it won't be disabled, since it's over my LAN, and over a few mates (We use Hamachi VPN).
I truly don't understand how to use it and I've been looking for ages. Nothing seems to make sense.
I checked the website that you gave me, but i didn't understand the code. Like it was saying that it had added 2 scripts to the startup or shutdown, but i didn't understand how it knew where the paths were or anything.
Any way, I'm just trying to figure out how to make changes to the Local Security Policy.
Re: Local Security Settings
I found this:
1. Open the policy on the target machine with LsaOpenPolicy(). To grant privileges, open the policy with POLICY_CREATE_ACCOUNT and POLICY_LOOKUP_NAMES access. To revoke privileges, open the policy with POLICY_LOOKUP_NAMES access.
2. Obtain a SID (security identifier) representing the user/group of interest. The LookupAccountName() and LsaLookupNames() APIs can obtain a SID from an account name.
3. Call LsaAddAccountRights() to grant privileges to the user(s) represented by the supplied SID.
4. Call LsaRemoveAccountRights() to revoke privileges from the user(s) represented by the supplied SID.
5. Close the policy with LsaClose().
Private Declare Function LsaOpenPolicy Lib "Advapi32.dll" (ByRef Sname As String, ByRef ObjName As LSA_OBJECT_ATTRIBUTES, POLICY_VIEW_LOCAL_INFORMATION, PHandle As LSA_HANDLE) As Long
That's the best i can get. I haven't been able to find any examples or get that API call working. I'm hoping it's the correct one. I have however found that a lot of people also couldn't get it working too!
Re: Local Security Settings
Re: Local Security Settings
RobDog888, trying to work it out, but have come to a problem; With the ACCESS_MASK i'm trying to put This into something VB can understand, but my attempts aren't working. If you could show an example on how to convet one i'll be able to do the rest. It's written in C++ and i don't know it very well.
#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
Also, have no idea what to do with PHandle (LSAHandle), is this where "Force shutdown from a remote system" goes? It's asking for a pointer... as far as i know, they are only used in memory of running programs to point to another memory location.
Re: Local Security Settings
Code:
Const DELETE = &H10000
Const READ_CONTROL = &H20000
Const WRITE_DAC = &H40000
Const WRITE_OWNER = &H80000
Const SYNCHRONIZE = &H100000
Const STANDARD_RIGHTS_REQUIRED = &HF0000
Const STANDARD_RIGHTS_READ = READ_CONTROL
Const STANDARD_RIGHTS_WRITE = READ_CONTROL
Const STANDARD_RIGHTS_EXECUTE = READ_CONTROL
Const STANDARD_RIGHTS_ALL = &H1F0000
Const SPECIFIC_RIGHTS_ALL = &HFFFF
Ok, i think that's how it's done, but i can't test it as i haven't got the API figured out yet!
I still need help with the PHandle bit =(.
Once i get this, i use the LsaSetInformationPolicy API.
Also, how is this using WMI? I don't think WMI has much to do with it...
Re: Local Security Settings
Ok, so far i have this:
Code:
Private Declare Function LsaOpenPolicy Lib "advapi32.dll" (ByRef Sname As String, ByRef ObjName As Long, POLICY_VIEW_LOCAL_INFORMATION, PHandle As Long) As Long
Private Declare Function LsaSetInformationPolicy Lib "advapi32.dll" (ByVal PolicyHandle As Long, ByVal PolicyInformationClass As POLICY_INFORMATION_CLASS, varBuffer As Long) As Long
Private Declare Function LsaClose Lib "advapi32.dll" (PolicyHandle As Long) As Long
Private Enum POLICY_INFORMATION_CLASS
PolicyAuditLogInformation = 1
PolicyAuditEventsInformation
PolicyPrimaryDomainInformation
PolicyPdAccountInformation
PolicyAccountDomainInformation
PolicyLsaServerRoleInformation
PolicyReplicaSourceInformation
PolicyDefaultQuotaInformation
PolicyModificationInformation
PolicyAuditFullSetInformation
PolicyAuditFullQueryInformation
PolicyDnsDomainInformation = 12
End Enum
Const DELETE = &H10000
Const READ_CONTROL = &H20000
Const WRITE_DAC = &H40000
Const WRITE_OWNER = &H80000
Const SYNCHRONIZE = &H100000
Const STANDARD_RIGHTS_REQUIRED = &HF0000
Const STANDARD_RIGHTS_READ = READ_CONTROL
Const STANDARD_RIGHTS_WRITE = READ_CONTROL
Const STANDARD_RIGHTS_EXECUTE = READ_CONTROL
Const STANDARD_RIGHTS_ALL = &H1F0000
Const SPECIFIC_RIGHTS_ALL = &HFFFF
Public Function OpenHandle(Optional TheHandle As Integer = 0)
OpenHandle = LsaOpenPolicy(0&, 0&, SPECIFIC_RIGHTS_ALL, TheHandle)
End Function
Public Function SetPolicy(Optional TheHandle As Integer = 0)
SetPolicy = LsaSetInformationPolicy(TheHandle, PolicyModificationInformation, 1024)
End Function
Public Function CloseHandle(Optional TheHandle As Integer = 0)
CloseHandle = LsaClose(TheHandle)
End Function
I need to know how to find the handle that i want! Also, i don't know if I've even done it right. I get some massive number when getting the return value of LsaOpenPolicy and very small values when checking some of the properties of POLICY_INFORMATION_CLASS, but i don't know what they mean. The values are like 7 and 5 and that.
Also with LsaSetInformationPolicy, what buffer should be used? I just put 1024 to be safe...
Re: Local Security Settings
Quote:
SE_REMOTE_SHUTDOWN_NAME
TEXT("SeRemoteShutdownPrivilege")
Required to shut down a system using a network request.
User Right: Force shutdown from a remote system.
i found this script that seems to get into the area you are after
Code:
DIM config_manager
DIM admin_role
' *******************************************************************
' Create and initialize a ConfigurationManager object.
SUB InitObject()
CALL WScript.Echo( "Create ConfigurationManager object...")
SET config_manager = CreateObject _
("Microsoft.RightsManagementServices.Admin.ConfigurationManager")
CheckError()
CALL WScript.Echo( "Initialize...")
admin_role=config_manager.Initialize(false,"localhost",80,"","","")
CheckError()
END SUB
' *******************************************************************
' Add user rights to the template.
SUB AddRights()
DIM template_manager
DIM templateColl
DIM templateObj
' Retrieve the RightsTemplatePolicy object.
SET template_manager = config_manager.RightsTemplatePolicy
CheckError()
' Retrieve the rights template collection.
SET templateColl = template_manager.RightsTemplateCollection
CheckError()
' Retrieve the first template in the collection.
SET templateObj = template_manager.RightsTemplateCollection.Item(0)
CheckError()
' Add rights information.
SET rights = CreateObject( _
"Microsoft.RightsManagementServices.Admin.UserRightsItem")
rights.UserId = "[email protected]"
''Now API add dependency rights if user does not do so
rights.WellKnownRights = _
config_manager.Constants.TemplateRightExtract + _
config_manager.Constants.TemplateRightPrint + _
config_manager.Constants.TemplateRightForward
rights.CustomRights.Add("CUSTOMRIGHTA")
rights.CustomRights.Add("CUSTOMRIGHTB")
Err.Clear()
templateObj.UserRightsItems.Add( rights )
CheckError()
' Update the templates on the server.
template_manager.RightsTemplateCollection.Update( templateObj )
CheckError()
END SUB
' *******************************************************************
' Error checking function.
FUNCTION CheckError()
CheckError = Err.number
IF Err.number <> 0 THEN
CALL WScript.Echo( vbTab & "*****Error Number: " _
& Err.number _
& " Desc:" _
& Err.Description _
& "*****")
WScript.StdErr.Write(Err.Description)
WScript.Quit( Err.number )
END IF
END FUNCTION
' *******************************************************************
' Generate a runtime error.
SUB RaiseError(errId, desc)
CALL Err.Raise( errId, "", desc )
CheckError()
END SUB
but i can't test
Re: Local Security Settings
With the AddRights Function I get an error on this line:
The error is "Object Required".
Code:
Sub AddRights()
Dim template_manager
Dim templateColl
Dim templateObj
' Retrieve the RightsTemplatePolicy object.
Set template_manager = config_manager.RightsTemplatePolicy
'CheckError()
' Retrieve the rights template collection.
Set templateColl = template_manager.RightsTemplateCollection 'I'm sure the same error would happen here too.
'CheckError()
' Retrieve the first template in the collection.
Set templateObj = template_manager.RightsTemplateCollection.Item(0)
'CheckError()
' Add rights information.
Set rights = CreateObject( _
"Microsoft.RightsManagementServices.Admin.UserRightsItem")
rights.UserId = "[email protected]"
''Now API add dependency rights if user does not do so
rights.WellKnownRights = _
config_manager.Constants.TemplateRightExtract + _
config_manager.Constants.TemplateRightPrint + _
config_manager.Constants.TemplateRightForward
rights.CustomRights.Add ("CUSTOMRIGHTA")
rights.CustomRights.Add ("CUSTOMRIGHTB")
'Err.Clear()
templateObj.UserRightsItems.Add (rights)
'CheckError()
' Update the templates on the server.
template_manager.RightsTemplateCollection.Update (templateObj)
'CheckError()
End Sub
I get the same error in the InitObject Function, but on this line:
Code:
Sub InitObject()
Call WScript.Echo("Create ConfigurationManager object...")
Set config_manager = CreateObject _
("Microsoft.RightsManagementServices.Admin.ConfigurationManager")
'CheckError()
Call WScript.Echo("Initialize...")
admin_role = config_manager.Initialize(False, "localhost", 80, "", "", "")
'CheckError()
End Sub
Re: Local Security Settings
the second is only message boxes, you can comment them out or change to msgbox but that sub needs to run first to create the configuration manager object, the subs could be combined, putting the init object code before the other, in VB6 you can change the declares for those to objects or whatever is appropriate
Re: Local Security Settings
Code:
Sub InitObject()
'Call WScript.Echo("Create ConfigurationManager object...")
Set config_manager = CreateObject _
("Microsoft.RightsManagementServices.Admin.ConfigurationManager")
'CheckError()
'Call WScript.Echo("Initialize...")
admin_role = config_manager.Initialize(False, "localhost", 80, "", "", "")
'CheckError()
End Sub
I get the error "ActiveX Component can't create object".
=S, never seen that one before.
Re: Local Security Settings
it is out of my depth at this point, but i would guess it would only run on a server with active directory
Re: Local Security Settings
Hmmm... there must be a way to do it in XP Professional. RobDog888 seemed to know it, but i think he wanted me to find it out, which i can't do.
Just wondering... where did you find that code?