我对模仿有什么看法? [英] What am I missing about impersonation?
问题描述
我准备把自己从建筑物上扔掉。
我支持经常更新的特定应用程序的几百个用户 - 所述更新涉及只不过用新版本替换主.exe。我为自己编写了一个仪表板,允许我提前登上新版本,在升级之夜推出它,回滚等等。但我一直想写一个简单的包装器,它位于用户身上桌面并允许他们自己更换.exe。
问题是公司政策禁止用户拥有应用程序目录的写权限。
所以我在VB中尝试了各种类型和形式的模拟 - 控制台和表单应用程序 - 虽然我认为我完全按照各种博客中的指示完成了所有操作微软,虽然单步执行程序表明我确实冒充了所有机器上具有管理员权限的用户,但是当普通用户运行代码时,它无法复制新文件,抛出用户没有的错误t拥有该目录的权利。
代码的核心,任何人都曾试图这样做可能认识到的,看起来像这样:
<预LANG = VB> <跨度类= 代码关键字>使用 safeTokenHandle
<跨度类=代码 - 关键字> Dim 成功作为 字符串
如果 returnValue 那么 success = 是 其他 success = 否
TextBox1.Text + = LogonUser成功了吗? & success& vbCrLf
TextBox1.Text + = Windows NT令牌的值: &安培; safeTokenHandle.DangerousGetHandle()的ToString()及vbCrLf
<跨度类= 代码注释 >' <跨度类= 代码 - 注释>检查身份。
TextBox1.Text = 在模仿之前:& WindowsIdentity.GetCurrent()。Name& vbCrLf
' 使用令牌LogonUser返回的句柄。
使用 newId 作为 新的WindowsIdentity(safeTokenHandle.DangerousGetHandle())
<跨度类= 代码关键字 >使用 impersonatedUser <跨度类= 代码关键字>为 WindowsImpersonationContext = newId.Impersonate()
' 检查身份。
TextBox1.Text + = 模仿后:& WindowsIdentity.GetCurrent()。Name& vbCrLf
System.IO.File.Copy( \\MyServer\SourceFiles \TheProgram。 exe, c:\ Program Files \ AppDirectory \ TheProgram.exe, True )
' 释放代币。
结束 使用
结束 使用
结束 使用
文本框更新确实显示了file.copy代码正在newID下运行,但副本仍然因权利问题而失败。
我错过了什么?
几年了我有类似的问题。如果我没记错,我可以通过更改组策略来更改权限问题。
我更改的设置是计算机配置 - 策略 - Windows设置 - 安全设置 - 本地策略 - 用户权限分配 - 操作作为操作系统的一部分。
虽然可能不太安全......
I'm about to throw myself off a building over this.
I support a few hundred users of a particular application that is updated frequently - said updates involving nothing more than replacing the main .exe with a new version. I've written a dashboard for myself that allows me to stage the new version in advance, push it out on the night of the upgrade, rollback, etc. But I've always wanted to write a simple wrapper that sits on the users' desktops and allows them to swap out the .exe on their own.
Problem is that company policy forbids the users from having write rights to the application directory.
So I've tried various types and forms of impersonation in VB - console and form applications - and, though I think I've done everything exactly as instructed in various blogs and by Microsoft, and although stepping through the programs indicates that I have indeed impersonated a user with admin rights on all of the machines, when a regular user runs the code, it fails to copy the new file, throwing the error that "the user doesn't have rights to the directory."
The heart of the code, which anyone who's ever tried to do this will probably recognize, looks like this:
Using safeTokenHandle
Dim success As String
If returnValue Then success = "Yes" Else success = "No"
TextBox1.Text += "Did LogonUser succeed? " & success & vbCrLf
TextBox1.Text += "Value of Windows NT token: " & safeTokenHandle.DangerousGetHandle().ToString() & vbCrLf
' Check the identity.
TextBox1.Text = "Before impersonation: " & WindowsIdentity.GetCurrent().Name & vbCrLf
' Use the token handle returned by LogonUser.
Using newId As New WindowsIdentity(safeTokenHandle.DangerousGetHandle())
Using impersonatedUser As WindowsImpersonationContext = newId.Impersonate()
' Check the identity.
TextBox1.Text += "After impersonation: " & WindowsIdentity.GetCurrent().Name & vbCrLf
System.IO.File.Copy("\\MyServer\SourceFiles\TheProgram.exe", "c:\Program Files\AppDirectory\TheProgram.exe", True)
' Free the tokens.
End Using
End Using
End Using
The text box updates do indeed show that the file.copy code is being run under the newID, but the copy still fails with a rights issue.
What the heck am I missing?
Several years ago I had a similar problem. If I recall correctly I was able to change the permission problem by altering the Group Policy.
The setting I changed was Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Act as part of the operating system.
It might not be very safe, though...
这篇关于我对模仿有什么看法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
