LsaEnumerateAccountRights 总是返回“找不到文件"; [英] LsaEnumerateAccountRights always returns "File not found"
问题描述
我正在调用 Advapi32.dll LsaEnumerateAccountRights 函数,该函数具有来自 LsaOpenPolicy 的策略句柄和来自 LookupAccountName 的帐户 SID.
I'm calling the Advapi32.dll LsaEnumerateAccountRights function having a policy handle from LsaOpenPolicy and an account SID from LookupAccountName.
但是,尽我所能,我总是返回 0xC0000034,在 LsaNtStatusToWinError 翻译后,我得到找不到引用的文件."
However, try as I might, I'm always getting back 0xC0000034 which after translation by LsaNtStatusToWinError gives me "The file referenced cannot be found."
这不是很好.我的代码处理了这个问题,并继续使用 LsaAddAccountRights 为帐户 SID 授予 SeServiceLogonRight,所以我知道策略句柄和帐户 SID 很好,因为如果其中一个出现问题,那会爆炸.
Which isn't a whole lot of good. My code handles this and goes on to grant the account SID the SeServiceLogonRight using LsaAddAccountRights, so I know that the policy handle and the account SID are fine as that would bomb out if something was wrong with one of those.
最终结果是该帐户确实拥有所需的权限,因此代码总体上有效.
The end result is that the account does have the right it needs so overall the code works.
但是,我在 MSI 自定义操作中使用它,安装会检查帐户是否具有权限,如果没有(或如上所述失败),则授予权限并记住它已完成在安装状态.如果发生回滚并且它添加了权利,然后将其删除.我们绝不会在卸载时删除,因为其他应用程序可能是使用我们运行的服务所使用的域帐户安装的.
However, I'm using this within an MSI custom action, the Install checks to see if the account has the right and if it doesn't (or it fails as above) it grants the right and remembers it has done it in the install state. If a rollback happens and it added the right it then removes it. We never remove in an uninstall as other applications may have been installed using the same domain account that the services we run use.
所以问题是当 MSI 执行回滚时 - 它总是会删除权限,因为它总是认为它已经添加了它.因此,使用 LsaEnumerateAccountRights 检查权限用于此目的 - 但我无法使其正常工作.
So the problem is when an MSI performs a rollback - it will always remove the right as it always thinks it has added it. So checking the rights using LsaEnumerateAccountRights is used for this - but I just can't get it to work.
任何想法 - 请注意,我使用带有 DllImport 属性的 c# 来公开 Win32 函数,而且我不是世界上最好的 Win32 程序员,在 C# 之前使用 Unix!
Any idea - please note that I'm using c# with DllImport attribute to expose the Win32 functions, and I'm not the worlds best Win32 programmer having been Unix before C#!
推荐答案
我也一直在为此苦苦挣扎,但刚刚破解它...
I have been struggling with this, too, but have just cracked it...
回顾过去,我现在看到 msdn 文档中有一个线索:此函数返回的帐户直接通过用户帐户持有指定的权限,而不是作为组成员资格的一部分."
Retrospectively, I now see there was a clue in the msdn documentation: "The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership to a group."
请参阅:链接文本
完全按照您说的从 LsaOpenPolicy() 获取策略句柄,从 LookupAccountName() 获取帐户 SID.
Get the policy handle from LsaOpenPolicy() and an account SID from LookupAccountName() exactly as you said.
如果您输入的用户名是组的名称(用户"、管理员"等),则 LsaEnumerateAccountRights() 工作正常并枚举该组的所有权限.
If the username you entered was the name of a group ("Users", "Administrators", etc) then LsaEnumerateAccountRights() works fine and enumerates all the rights for the group.
如果你用一个用户名调用它,该用户名的权限完全来自它所属的组,那么它返回 0xc0000034(= Windows 错误 2 - 系统找不到指定的文件"),意思是(我们现在意识到)找不到任何单独分配的附加权限".似乎 Windows 错误 2 翻译是未找到您要查找的内容"的统称.
If you call it on a username whose rights derive solely from the groups of which it is a member, then it returns 0xc0000034 (= Windows error 2 - The system cannot find the "file" specified), meaning (we now realise) "cannot find any individually assigned additional rights". It seems that the Windows Error 2 translation is a catch-all for "what you were looking for has not been found".
现在...如果您有 ntrights.exe,请运行它...例如:
Now... If you have ntrights.exe, run it... for example:
ntrights +r SeNetworkLogonRight -u 我的用户名
ntrights +r SeNetworkLogonRight -u MyUserName
然后,LsaEnumerateAccountRights() 工作正常,返回没有错误并枚举单个权限SeNetworkLogonRight".
Then, LsaEnumerateAccountRights() works fine, returns without error and enumerates a single right, "SeNetworkLogonRight".
这篇关于LsaEnumerateAccountRights 总是返回“找不到文件";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
