Results 1 to 14 of 14

Thread: [Not Resolved] Local Security Settings

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    [Not Resolved] Local Security Settings

    Hmm... about 2 weeks ago i posted a problem when trying to change a setting in the Local Security Settings.

    The thread can be found Here.

    So far i have tried everything to be able to edit it.

    I've even downloaded RegMon and watched the registry hoping to find the registry setting that was changed when the Security Policy was applied.

    But to no success =(.

    I pretty much want to add "Interactive" to "Administrative Tools \ Local Security Settings > Security Settings \ Local Policies \ User Rights Assignment. > Force shutdown from a remote system"

    I have tried using WMI, but then i'd have to download and install it onto every computer that i wanted to run this program from.

    Is there any other way to change the Local Security Policy?
    Last edited by Slyke; Nov 11th, 2007 at 04:49 AM.

  2. #2
    Ex-Super Mod RobDog888's Avatar
    Join Date
    Apr 2001
    Location
    LA, Calif. Raiders #1 AKA:Gangsta Yoda™
    Posts
    60,709

    Re: Local Security Settings

    Like I had posted in the other thread, not all settings are registry settings for GPOs. WMI is on systems unless the net admin has a GPO disabling it. If you are going to be distributing your app then it shouldnt be much of an issue to ad WMI.
    VB/Office Guru™ (AKA: Gangsta Yoda®)
    I dont answer coding questions via PM. Please post a thread in the appropriate forum.

    Microsoft MVP 2006-2011
    Office Development FAQ (C#, VB.NET, VB 6, VBA)
    Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
    If a post has helped you then Please Rate it!
    Reps & Rating PostsVS.NET on Vista Multiple .NET Framework Versions Office Primary Interop AssembliesVB/Office Guru™ Word SpellChecker™.NETVB/Office Guru™ Word SpellChecker™ VB6VB.NET Attributes Ex.Outlook Global Address ListAPI Viewer utility.NET API Viewer Utility
    System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6

  3. #3

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    Yeah, i believed you, but i decided to check any way.

    To be honest with you. I don't know much about WMI, I learn as i go, i thought it was some SDK download from windows (saw something like this when i was searching for stuff about it), but i was wrong. It's already on all machines. Saw it when i was messing around with the admin accounts on the LAN also. Nahh it won't be disabled, since it's over my LAN, and over a few mates (We use Hamachi VPN).

    I truly don't understand how to use it and I've been looking for ages. Nothing seems to make sense.

    I checked the website that you gave me, but i didn't understand the code. Like it was saying that it had added 2 scripts to the startup or shutdown, but i didn't understand how it knew where the paths were or anything.

    Any way, I'm just trying to figure out how to make changes to the Local Security Policy.

  4. #4

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    I found this:

    1. Open the policy on the target machine with LsaOpenPolicy(). To grant privileges, open the policy with POLICY_CREATE_ACCOUNT and POLICY_LOOKUP_NAMES access. To revoke privileges, open the policy with POLICY_LOOKUP_NAMES access.
    2. Obtain a SID (security identifier) representing the user/group of interest. The LookupAccountName() and LsaLookupNames() APIs can obtain a SID from an account name.
    3. Call LsaAddAccountRights() to grant privileges to the user(s) represented by the supplied SID.
    4. Call LsaRemoveAccountRights() to revoke privileges from the user(s) represented by the supplied SID.
    5. Close the policy with LsaClose().



    Private Declare Function LsaOpenPolicy Lib "Advapi32.dll" (ByRef Sname As String, ByRef ObjName As LSA_OBJECT_ATTRIBUTES, POLICY_VIEW_LOCAL_INFORMATION, PHandle As LSA_HANDLE) As Long


    That's the best i can get. I haven't been able to find any examples or get that API call working. I'm hoping it's the correct one. I have however found that a lot of people also couldn't get it working too!

  5. #5
    Ex-Super Mod RobDog888's Avatar
    Join Date
    Apr 2001
    Location
    LA, Calif. Raiders #1 AKA:Gangsta Yoda™
    Posts
    60,709
    VB/Office Guru™ (AKA: Gangsta Yoda®)
    I dont answer coding questions via PM. Please post a thread in the appropriate forum.

    Microsoft MVP 2006-2011
    Office Development FAQ (C#, VB.NET, VB 6, VBA)
    Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
    If a post has helped you then Please Rate it!
    Reps & Rating PostsVS.NET on Vista Multiple .NET Framework Versions Office Primary Interop AssembliesVB/Office Guru™ Word SpellChecker™.NETVB/Office Guru™ Word SpellChecker™ VB6VB.NET Attributes Ex.Outlook Global Address ListAPI Viewer utility.NET API Viewer Utility
    System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6

  6. #6

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    RobDog888, trying to work it out, but have come to a problem; With the ACCESS_MASK i'm trying to put This into something VB can understand, but my attempts aren't working. If you could show an example on how to convet one i'll be able to do the rest. It's written in C++ and i don't know it very well.

    #define DELETE (0x00010000L)
    #define READ_CONTROL (0x00020000L)
    #define WRITE_DAC (0x00040000L)
    #define WRITE_OWNER (0x00080000L)
    #define SYNCHRONIZE (0x00100000L)

    #define STANDARD_RIGHTS_REQUIRED (0x000F0000L)

    #define STANDARD_RIGHTS_READ (READ_CONTROL)
    #define STANDARD_RIGHTS_WRITE (READ_CONTROL)
    #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)

    #define STANDARD_RIGHTS_ALL (0x001F0000L)

    #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)





    Also, have no idea what to do with PHandle (LSAHandle), is this where "Force shutdown from a remote system" goes? It's asking for a pointer... as far as i know, they are only used in memory of running programs to point to another memory location.
    Last edited by Slyke; Nov 10th, 2007 at 12:20 AM.

  7. #7

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    Code:
    Const DELETE = &H10000
    Const READ_CONTROL = &H20000
    Const WRITE_DAC = &H40000
    Const WRITE_OWNER = &H80000
    Const SYNCHRONIZE = &H100000
    
    Const STANDARD_RIGHTS_REQUIRED = &HF0000
    
    Const STANDARD_RIGHTS_READ = READ_CONTROL
    Const STANDARD_RIGHTS_WRITE = READ_CONTROL
    Const STANDARD_RIGHTS_EXECUTE = READ_CONTROL
    
    Const STANDARD_RIGHTS_ALL = &H1F0000
    
    Const SPECIFIC_RIGHTS_ALL = &HFFFF
    Ok, i think that's how it's done, but i can't test it as i haven't got the API figured out yet!

    I still need help with the PHandle bit =(.

    Once i get this, i use the LsaSetInformationPolicy API.

    Also, how is this using WMI? I don't think WMI has much to do with it...
    Last edited by Slyke; Nov 10th, 2007 at 06:31 AM.

  8. #8

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    Ok, so far i have this:


    Code:
    Private Declare Function LsaOpenPolicy Lib "advapi32.dll" (ByRef Sname As String, ByRef ObjName As Long, POLICY_VIEW_LOCAL_INFORMATION, PHandle As Long) As Long
    Private Declare Function LsaSetInformationPolicy Lib "advapi32.dll" (ByVal PolicyHandle As Long, ByVal PolicyInformationClass As POLICY_INFORMATION_CLASS, varBuffer As Long) As Long
    Private Declare Function LsaClose Lib "advapi32.dll" (PolicyHandle As Long) As Long
    
    Private Enum POLICY_INFORMATION_CLASS
    PolicyAuditLogInformation = 1
    PolicyAuditEventsInformation
    PolicyPrimaryDomainInformation
    PolicyPdAccountInformation
    PolicyAccountDomainInformation
    PolicyLsaServerRoleInformation
    PolicyReplicaSourceInformation
    PolicyDefaultQuotaInformation
    PolicyModificationInformation
    PolicyAuditFullSetInformation
    PolicyAuditFullQueryInformation
    PolicyDnsDomainInformation = 12
    End Enum
    
    Const DELETE = &H10000
    Const READ_CONTROL = &H20000
    Const WRITE_DAC = &H40000
    Const WRITE_OWNER = &H80000
    Const SYNCHRONIZE = &H100000
    
    Const STANDARD_RIGHTS_REQUIRED = &HF0000
    
    Const STANDARD_RIGHTS_READ = READ_CONTROL
    Const STANDARD_RIGHTS_WRITE = READ_CONTROL
    Const STANDARD_RIGHTS_EXECUTE = READ_CONTROL
    
    Const STANDARD_RIGHTS_ALL = &H1F0000
    
    Const SPECIFIC_RIGHTS_ALL = &HFFFF
    
    Public Function OpenHandle(Optional TheHandle As Integer = 0)
    
    OpenHandle = LsaOpenPolicy(0&, 0&, SPECIFIC_RIGHTS_ALL, TheHandle)
    
    End Function
    
    Public Function SetPolicy(Optional TheHandle As Integer = 0)
    
    SetPolicy = LsaSetInformationPolicy(TheHandle, PolicyModificationInformation, 1024)
    
    End Function
    
    Public Function CloseHandle(Optional TheHandle As Integer = 0)
    
    CloseHandle = LsaClose(TheHandle)
    
    End Function

    I need to know how to find the handle that i want! Also, i don't know if I've even done it right. I get some massive number when getting the return value of LsaOpenPolicy and very small values when checking some of the properties of POLICY_INFORMATION_CLASS, but i don't know what they mean. The values are like 7 and 5 and that.

    Also with LsaSetInformationPolicy, what buffer should be used? I just put 1024 to be safe...

  9. #9
    PowerPoster
    Join Date
    Dec 2004
    Posts
    25,618

    Re: Local Security Settings

    SE_REMOTE_SHUTDOWN_NAME
    TEXT("SeRemoteShutdownPrivilege")


    Required to shut down a system using a network request.

    User Right: Force shutdown from a remote system.
    i found this script that seems to get into the area you are after
    Code:
    DIM config_manager
    DIM admin_role
    
    ' *******************************************************************
    ' Create and initialize a ConfigurationManager object.
    
    SUB InitObject()
    
      CALL WScript.Echo( "Create ConfigurationManager object...")
      SET config_manager = CreateObject _
        ("Microsoft.RightsManagementServices.Admin.ConfigurationManager")      
      CheckError()
        
      CALL WScript.Echo( "Initialize...")
      admin_role=config_manager.Initialize(false,"localhost",80,"","","")
      CheckError()
    
    END SUB
    
    ' *******************************************************************
    ' Add user rights to the template. 
    
    SUB AddRights()
    
      DIM template_manager
      DIM templateColl
      DIM templateObj
    
      ' Retrieve the RightsTemplatePolicy object.
      SET template_manager = config_manager.RightsTemplatePolicy
      CheckError()
    
      ' Retrieve the rights template collection.
      SET templateColl = template_manager.RightsTemplateCollection
      CheckError()
    
      ' Retrieve the first template in the collection.
      SET templateObj = template_manager.RightsTemplateCollection.Item(0)
      CheckError()
    
      ' Add rights information.
      SET rights = CreateObject( _
          "Microsoft.RightsManagementServices.Admin.UserRightsItem")
      rights.UserId = "[email protected]"
      ''Now API add dependency rights if user does not do so
      rights.WellKnownRights = _
            config_manager.Constants.TemplateRightExtract + _
            config_manager.Constants.TemplateRightPrint + _
            config_manager.Constants.TemplateRightForward
      rights.CustomRights.Add("CUSTOMRIGHTA")
      rights.CustomRights.Add("CUSTOMRIGHTB")
      Err.Clear()
      templateObj.UserRightsItems.Add( rights )
      CheckError()
      
      ' Update the templates on the server.
      template_manager.RightsTemplateCollection.Update( templateObj )
      CheckError()
    
    END SUB
    
    ' *******************************************************************
    ' Error checking function.
    
    FUNCTION CheckError()
      CheckError = Err.number
      IF Err.number <> 0 THEN
        CALL WScript.Echo( vbTab & "*****Error Number: " _
                           & Err.number _
                           & " Desc:" _
                           & Err.Description _
                           & "*****")
        WScript.StdErr.Write(Err.Description)
        WScript.Quit( Err.number )
      END IF
    END FUNCTION
    
    ' *******************************************************************
    ' Generate a runtime error.
    
    SUB RaiseError(errId, desc)
      CALL Err.Raise( errId, "", desc )
      CheckError()
    END SUB
    but i can't test
    i do my best to test code works before i post it, but sometimes am unable to do so for some reason, and usually say so if this is the case.
    Note code snippets posted are just that and do not include error handling that is required in real world applications, but avoid On Error Resume Next

    dim all variables as required as often i have done so elsewhere in my code but only posted the relevant part

    come back and mark your original post as resolved if your problem is fixed
    pete

  10. #10

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    With the AddRights Function I get an error on this line:

    The error is "Object Required".

    Code:
    Sub AddRights()
    
      Dim template_manager
      Dim templateColl
      Dim templateObj
    
      ' Retrieve the RightsTemplatePolicy object.
      Set template_manager = config_manager.RightsTemplatePolicy
      'CheckError()
    
      ' Retrieve the rights template collection.
      Set templateColl = template_manager.RightsTemplateCollection  'I'm sure the same error would happen here too.
      'CheckError()
    
      ' Retrieve the first template in the collection.
      Set templateObj = template_manager.RightsTemplateCollection.Item(0)
      'CheckError()
    
      ' Add rights information.
      Set rights = CreateObject( _
          "Microsoft.RightsManagementServices.Admin.UserRightsItem")
      rights.UserId = "[email protected]"
      ''Now API add dependency rights if user does not do so
      rights.WellKnownRights = _
            config_manager.Constants.TemplateRightExtract + _
            config_manager.Constants.TemplateRightPrint + _
            config_manager.Constants.TemplateRightForward
      rights.CustomRights.Add ("CUSTOMRIGHTA")
      rights.CustomRights.Add ("CUSTOMRIGHTB")
      'Err.Clear()
      templateObj.UserRightsItems.Add (rights)
      'CheckError()
      
      ' Update the templates on the server.
      template_manager.RightsTemplateCollection.Update (templateObj)
      'CheckError()
    
    End Sub
    I get the same error in the InitObject Function, but on this line:
    Code:
    Sub InitObject()
    
      Call WScript.Echo("Create ConfigurationManager object...")
      Set config_manager = CreateObject _
        ("Microsoft.RightsManagementServices.Admin.ConfigurationManager")
      'CheckError()
        
      Call WScript.Echo("Initialize...")
      admin_role = config_manager.Initialize(False, "localhost", 80, "", "", "")
      'CheckError()
    
    End Sub

  11. #11
    PowerPoster
    Join Date
    Dec 2004
    Posts
    25,618

    Re: Local Security Settings

    the second is only message boxes, you can comment them out or change to msgbox but that sub needs to run first to create the configuration manager object, the subs could be combined, putting the init object code before the other, in VB6 you can change the declares for those to objects or whatever is appropriate
    i do my best to test code works before i post it, but sometimes am unable to do so for some reason, and usually say so if this is the case.
    Note code snippets posted are just that and do not include error handling that is required in real world applications, but avoid On Error Resume Next

    dim all variables as required as often i have done so elsewhere in my code but only posted the relevant part

    come back and mark your original post as resolved if your problem is fixed
    pete

  12. #12

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    Code:
    Sub InitObject()
    
      'Call WScript.Echo("Create ConfigurationManager object...")
      Set config_manager = CreateObject _
        ("Microsoft.RightsManagementServices.Admin.ConfigurationManager")
      'CheckError()
        
      'Call WScript.Echo("Initialize...")
      admin_role = config_manager.Initialize(False, "localhost", 80, "", "", "")
      'CheckError()
    
    End Sub
    I get the error "ActiveX Component can't create object".

    =S, never seen that one before.
    Last edited by Slyke; Nov 11th, 2007 at 04:09 AM.

  13. #13
    PowerPoster
    Join Date
    Dec 2004
    Posts
    25,618

    Re: Local Security Settings

    it is out of my depth at this point, but i would guess it would only run on a server with active directory
    i do my best to test code works before i post it, but sometimes am unable to do so for some reason, and usually say so if this is the case.
    Note code snippets posted are just that and do not include error handling that is required in real world applications, but avoid On Error Resume Next

    dim all variables as required as often i have done so elsewhere in my code but only posted the relevant part

    come back and mark your original post as resolved if your problem is fixed
    pete

  14. #14

    Thread Starter
    Fanatic Member
    Join Date
    Sep 2005
    Posts
    540

    Re: Local Security Settings

    Hmmm... there must be a way to do it in XP Professional. RobDog888 seemed to know it, but i think he wanted me to find it out, which i can't do.


    Just wondering... where did you find that code?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width