VB.net Windows Server - WindowsPrincipal.IsInRole - 始终显示错误 [英] VB.net Windows Server - WindowsPrincipal.IsInRole - Always Shows False
问题描述
嗨
i有一个本地运行的本地系统服务,它启动一个应用程序,因为它应该为每个用户记录并按预期工作但是我现在遇到的问题是我试图阻止它作为'管理员'/'域管理员'运行
它必须作为'本地服务'运行,因为它需要 SE_TCB_NAME
特权。
一切正常,除了WindowsIdentity / WindowsPrincipal Call之外,每个校长都返回false /
Ses.SecureToken是用户令牌,以下部分返回会话的正确用户名,因此我知道 WindowsIdentity
是正确的并且已将其识别为正确:
Dim EventLogText As 字符串 = wi.User.Translate( GetType (NTAccount))。ToString
这是我正在尝试做的代码片段,下面是事件日志输出:
< pre lang =vb> 对于 每个 Ses As clsGetLoggedInSessions.LoggedInInfo 在 liSessions.Sessions
' 状态是否处于活动状态
如果(Ses.ConnectionState = WTS_CONNECTSTATE_CLASS.WTSActive)然后
Dim wi As WindowsIdentity = 新 WindowsIdentity(Ses.SecurityToken)
Dim wp As WindowsPrincipal
wp = 新 WindowsPrincipal(wi)
Dim EventLogText As String = wi.User.Translate( GetType (NTAccount))。ToString& vbCrLf
EventLogText& = 管理员角色:& wp.IsInRole(WindowsBuiltInRole.Administrator)& vbCrLf
EventLogText& = 电源角色:& wp.IsInRole(WindowsBuiltInRole.PowerUser)& vbCrLf
EventLogText& = operator Role:& wp.IsInRole(WindowsBuiltInRole.AccountOperator)& vbCrLf
EventLogText& = 备份角色:& wp.IsInRole(WindowsBuiltInRole.BackupOperator)& vbCrLf
EventLogText& = 系统角色:& wp.IsInRole(WindowsBuiltInRole.SystemOperator)& vbCrLf
EventLogText& = 域管理员角色:& wp.IsInRole( DOMAIN\Domain Admins)& vbCrLf
EventLog1.WriteEntry(EventLogText)
结束 如果
下一步
我的.Username
管理员角色:错误
电源角色:错误
运算符角色:错误
备份角色:错误
系统角色:错误
域管理员角色:错误
非常感谢你们提供的任何帮助。再次感谢guys / gals :)
谢谢Dave
您好b $ b
解决了这个问题,将令牌名称从Ses.SecureToken更改为以下内容:
Dim wi As WindowsIdentity = 新 WindowsIdentity( String .Concat(Ses.WindowsUsername& @& ; Ses.WindowsDomain))
现在而不是使用'IsInRole'
我遍历WindowsIdentity.Groups,将SID转换为名称,然后选择一个案例来匹配所需的组,它的范围很宽但很有效。
对于 每个 Ses As cl sGetLoggedInSessions.LoggedInInfo 在 liSessions.Sessions
' 状态是否处于活动状态 - 如果不是,则继续
如果 不 (Ses.ConnectionState = WTS_CONNECTSTATE_CLASS.WTSActive)然后 继续 对于
' 基于用户帐户的Windows身份。
Dim WI As 新 WindowsIdentity( Ses.WindowsUsername& @& Ses.WindowsDomain)
' SID列表,GroupName列表
Dim tmpGrpName 作为 字符串 =
' 循环通过WI组并存储到字符串(稍后进行组检查)
对于 每个 Pip As IdentityReference 在 WI.Groups
尝试:tmpGrpName& = Pip.Translate( GetType (NTAccount))。ToString& ,
Catch ex As 异常:继续 对于:< span class =code-keyword>结束 尝试
下一步
' 将流程信息拖放到每个用户的数据表中
Dim tmpDat As DataTable = WMIQueryDataset( String .Format( SELECT * FROM Win32_Process WHERE SessionId ='{0}'和Name ='{1}', CUInt (Ses.SessionId).ToString, calc.exe ))
' 检查是否已返回行
如果(tmpDat.Rows.Count = 0 )然后
确保用户不是管理员角色的成员
如果(GroupPermissionCheck(tmpGrpName)= False )然后 致电 StartAppAsUser(Ses.SecurityToken, C:\ Windows \ system32 \ calc.exe)
其他
结束 如果
下一步
结束 < span class =code-keyword> Sub
私有 功能 GroupPermissionCheck( ByVal Grps As String )作为 布尔
Dim GroupsToCheck()作为 字符串 = { BUILTIN \ADMINISTRATORS, BUILTIN \ POWER USERS, AKINIKA \ DOMAIN ADMINS, BUILTIN \BACKUP OPERATORS}
Dim Returnval 作为 < span class =code-keyword> Boolean = False
Array.ForEach(GroupsToCheck, Sub (val) If (Grps.IndexOf(val)> -1)然后 Returnval = True )
返回 True
结束 功能
私有 Sub StartAppAsUser( ByVal SecureToken 作为 IntPtr ,CommandPath 作为 字符串)
Dim ProcInfo 作为 新 WindowsApi.PROCESS_INFORMATION
Dim StartInfo 作为 新 WindowsApi.STARTUPINFOW
StartInfo.cb = CUInt (Runtime.InteropServices.Marshal.SizeOf(StartInfo))
WindowsApi.CreateProcessAsUser(SecureToken,CommandPath, IntPtr .Zero, IntPtr .Zero, IntPtr .Zero,错误, 0 , IntPtr .Zero, Nothing ,StartInfo,ProcInfo )
如果 不 SecureToken = IntPtr .Zero 然后
WindowsApi.CloseHandle(SecureToken)
结束 如果
结束 Sub
Hi
i have a Local System service that is running currently which launches an application as it should do for each of their users logged and works as expected however the problem i have now is that i am trying to prevent it from running as 'Administrators' / 'Domain Admins'
It has to run as 'Local Service' as it requires the SE_TCB_NAME
privilege.
Everything works as it should other than the WindowsIdentity/WindowsPrincipal Calls all return false for each of the principal's/
Ses.SecureToken is the users token, the following section returns the correct username of the of the session so i know that the WindowsIdentity
is correct and has identified it correct:
Dim EventLogText As String = wi.User.Translate(GetType(NTAccount)).ToString
Here is a code snippet from what i am trying to do and below is the event log output:
For Each Ses As clsGetLoggedInSessions.LoggedInInfo In liSessions.Sessions
'Is the State in Active State
If (Ses.ConnectionState = WTS_CONNECTSTATE_CLASS.WTSActive) Then
Dim wi As WindowsIdentity = New WindowsIdentity(Ses.SecurityToken)
Dim wp As WindowsPrincipal
wp = New WindowsPrincipal(wi)
Dim EventLogText As String = wi.User.Translate(GetType(NTAccount)).ToString & vbCrLf
EventLogText &= "Admin Role: " & wp.IsInRole(WindowsBuiltInRole.Administrator) & vbCrLf
EventLogText &= "Power Role: " & wp.IsInRole(WindowsBuiltInRole.PowerUser) & vbCrLf
EventLogText &= "operator Role: " & wp.IsInRole(WindowsBuiltInRole.AccountOperator) & vbCrLf
EventLogText &= "Backup Role: " & wp.IsInRole(WindowsBuiltInRole.BackupOperator) & vbCrLf
EventLogText &= "System Role: " & wp.IsInRole(WindowsBuiltInRole.SystemOperator) & vbCrLf
EventLogText &= "Domain Admin Role: " & wp.IsInRole("DOMAIN\Domain Admins") & vbCrLf
EventLog1.WriteEntry(EventLogText)
End If
Next
My.Username
Admin Role: False
Power Role: False
operator Role: False
Backup Role: False
System Role: False
Domain Admin Role: False
Would appreciate any help you guys can offer. Thanks again guys/gals :)
Thanks Dave
Hi
Resolved this issue, changed the token name from Ses.SecureToken to the following:
Dim wi As WindowsIdentity = New WindowsIdentity(String.Concat(Ses.WindowsUsername & "@" & Ses.WindowsDomain))
And now instead of using 'IsInRole'
I loop through the WindowsIdentity.Groups, Translate the SID to a name and and do a case select to match the required groups, its as broad as it is long but it works.
For Each Ses As clsGetLoggedInSessions.LoggedInInfo In liSessions.Sessions 'Is the State in Active State - If Not, Move On If Not (Ses.ConnectionState = WTS_CONNECTSTATE_CLASS.WTSActive) Then Continue For 'Windows Identity Based on User Account. Dim WI As New WindowsIdentity(Ses.WindowsUsername & "@" & Ses.WindowsDomain) 'SID List, GroupName List Dim tmpGrpName As String = "" 'Loop Through WI Groups and Store to String (For Group Checking Later) For Each Pip As IdentityReference In WI.Groups Try : tmpGrpName &= Pip.Translate(GetType(NTAccount)).ToString & "," Catch ex As Exception : Continue For : End Try Next 'Drop Process Info into Data Table for each user Dim tmpDat As DataTable = WMIQueryDataset(String.Format("SELECT * FROM Win32_Process WHERE SessionId='{0}' And Name='{1}'", CUInt(Ses.SessionId).ToString, "calc.exe")) 'Check if Rows Have been returned If (tmpDat.Rows.Count = 0) Then 'Ensure user is not member of admin roles If (GroupPermissionCheck(tmpGrpName) = False) Then Call StartAppAsUser(Ses.SecurityToken, "C:\Windows\System32\calc.exe") Else End If Next End Sub Private Function GroupPermissionCheck(ByVal Grps As String) As Boolean Dim GroupsToCheck() As String = {"BUILTIN\ADMINISTRATORS", "BUILTIN\POWER USERS", "AKINIKA\DOMAIN ADMINS", "BUILTIN\BACKUP OPERATORS"} Dim Returnval As Boolean = False Array.ForEach(GroupsToCheck, Sub(val) If (Grps.IndexOf(val) > -1) Then Returnval = True) Return True End Function Private Sub StartAppAsUser(ByVal SecureToken As IntPtr, CommandPath As String) Dim ProcInfo As New WindowsApi.PROCESS_INFORMATION Dim StartInfo As New WindowsApi.STARTUPINFOW StartInfo.cb = CUInt(Runtime.InteropServices.Marshal.SizeOf(StartInfo)) WindowsApi.CreateProcessAsUser(SecureToken, CommandPath, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, False, 0, IntPtr.Zero, Nothing, StartInfo, ProcInfo) If Not SecureToken = IntPtr.Zero Then WindowsApi.CloseHandle(SecureToken) End If End Sub
这篇关于VB.net Windows Server - WindowsPrincipal.IsInRole - 始终显示错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!