Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

Services

• 1219 Error with AddDrive
• Account Expires after wntUserAddDat
• Add Domain Group to Local Administrator Remotely
• Add Everyone to Administrators Group
• Add Global Groups in Domain
• Adding Domain to Workstation
• Adding Users and Setting Flags
• Adds User Account to Local Administrator Group
• Allow Inheritable Permissions from Parent
• Builtin Group SID convert to Name
• Bypass NT Ctrl Alt Del to Logon
• Changing Computer Name and Machine Account
• Changing Domain Passwords Sample Code
• Check For Disabled Computer Account
• Check if You Have Local Admin Rights
• Checking an Accounts Password
• Checking for Old Users
• Convert SID to User ID
• Converting SID to Domain - Account Name
• Create Directories and Set NT Access Permissions
• Dealling With Inheritiable Permissions
• Decode Logon Hours
• Determine if Computer is in a Workgroup or Domain
• Determine if PC is Member of Domain
• Determine Inheritance
• Determining if Current User is Authenticated
• Disable Allow Inheritable Permissions
• Domain Trusts Explained
• Error 673 WntPrivAdd
• Error 684 using wntAccess functions
• Find Domain for a Computer
• Foreign Language support of the Win32 Network Extender
• Get a Users Primary Group
• Get Domain User Info
• Get Machine Administrator Userid
• Get SID from Username
• Get the Currently Logged on User in NT
• Get the SID of a Workstation
• Get User Name and wntUserProps
• How to determine if a file is in use on LAN
• How to disable Allow inheritable permissions
• How to Get the Local Adminstrator Account
• How WntServerList Determines a Server
• Inherit NTFS Persmissions
• Interpreting Access Rights
• Is Domain User a Local Admin
• Is User Logged into Domain or Local Account
• Is wntChgPswd Encrypted
• Issue with AccessMod on Remote Machine
• Keeping Track of Last User Login
• List only Windows 2000 Systems
• List Open Connections
• List Terminal Servers
• Listing Directory Shares with Permissions
• Losing Mapped Drive Connections in XP
• Matching SID to ProfileList folder
• NT Auditing
• NT Extender and NT4 No Service Packs
• NT Network Extender and UPN Account Names
• Obtain Share Permissions
• Obtain user sid
• Port Required for WntUserGetDat
• Problems caused by ADMT
• Pull Trusted Domain List
• Reboot user with no shutdown privileges
• Remotely Reboot and wntShutDown
• Remove Everyone Access from D
• Rename User in an AD Domain
• Reset Passwords in Active Directory
• Reset Permissions when Inheritable is Enabled
• Rights to use wntFileUsers
• Runwithlogon and Bad Username
• RunWithLogon Parameter Size
• RunWithLogon versus RunAsUser
• Searching NT Users and Find by Last Name
• Server Description Field
• Setting File Permissions with wntAccessAdd
• Setting NT Policies
• Setting Service Permissions
• Shutdown All NT Servers
• SID values - AD - round tripping and ADMT
• Synchronize password from NT Domain to Novell
• The NT extender functions in Active Directories
• Trouble determining admin rights
• Trusting Domain List
• Unlock Account with wntUserSetDat
• User Login and Log out Information
• User Profile Last Logon
• Win 2000 AutoAdminLogon
• wntAccess... and Specifying Remote Drives
• WntAccessAdd and Change Modify Registry
• wntAccessAdd and Inherited Rights
• WntAccessAdd and Inheritence
• wntAccessAdd and Invalid User - Group
• wntAccessAdd and NTFS
• WntAccessAdd error 546 Invalid file directory name
• wntAccessAdd Inheritable Permissions
• wntAccessAdd Problem on NT 4
• wntAccessAdd Share Problem on Windows 7
• wntAccessAdd versus w95AccessAdd Tips
• wntAccessDel Error 599 Invalid Level
• wntAccessGet and Username Parameter
• WntAccessList DFS share
• wntAccessList Problem
• wntAccessMod Registry Issue
• wntAcctList Returns Incorrect Flag Values
• wntAcctPolSet Error
• wntAddDrive and Unicode
• WntAddDrive launches an Explorer window
• wntAddPrinter after WntRunAsUser
• wntauditadd and inheritance
• wntAuditAdd and MS Patch
• WntCancelCon Error 511 Device in Use
• wntChgPswd 562 Invalid User Name
• wntChgPswd and Error 586
• wntChgPswd and Error 589 Error Changing Password
• wntChgPswd and Error 677
• wntChgPswd behavior different between W2K and NT4
• wntCurrUsers Behavior
• wntDomainSync Error 695
• wntEventLog Problem
• wntGetCon Error 509 Network component is Not Started or Invalid
• wntMemberDel- error 571
• wntMemberGrps returns 0 on DC running AD
• wntMemberGrps wntMemberSet - 562 invalid user name
• wntMemberList Behavior
• wntMemberList Error 522
• wntMemberList Problems
• wntOwnerGet - wntOwnerSet Tips
• wntOwnerSet Error 547
• wntRemoteTime and 530 Access Denied Error
• wntRemoteTime and Daylight Savings Time
• wntRunAsUser -- Security Side Effects
• wntRunAsUser 713 Unable to Set Window Station Access
• wntRunAsUser and Act as Part of OS Clarification
• wntRunAsUser and Called Scripts
• wntRunAsUser and Debugging Problem
• wntRunAsUser and No Permission on Local Machine
• wntRunAsUser Discussion in French
• wntRunAsUser Error 637
• wntRunAsUser Error 638
• wntRunAsUser Function - 1
• wntRunAsUser Function - 2
• wntRunAsUser Function - 3
• wntRunAsUser Function Used Twice in Script
• wntRunAsUser RunWithLogon Security Context
• wntRunAsUser to AutoAdminLogon after Reboot
• wntRunAsUser Windowstation and Desktop Permissions on WinXP
• wntServerList and wntServiceAt
• wntServerType
• wntShutDown Error 694
• wntUser... and Update User Accounts
• wntUserAdd Adding a Domain User
• wntUserAdd Bug
• WntUserAddDat and Max_storage
• wntUserGetDat 524 Unable to Access Specified Server
• wntUserGetDat and Logon_hours Flag
• wntUserSetDat and Logon Hours
• wNTUserXXXDat Function and Flags
• wxxUserGetDat and Last Logon Date

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

wntRunAsUser Windowstation and Desktop Permissions on WinXP

---

FYI - We ran across something on the Usenet that directly affects how the permissions are set on windowstations & desktops and which can have a major impact on WinBatch scripts in certain situations. Here's the summary of the problem:

There is a limit to the size of the DACL, or perhaps to the SD in general, for windowstations & desktops on the NT platform family. This limit is 2 KB in size. If the size of the DACL grows too large then the DACL gets corrupted. The DACL of the windowstation "winsta0" and the desktop "winsta0\default" will be modified any time that a user logs on to the system or logs off the system. The modification involves adding or removing ACEs in the DACL that grant the logon session SID for the interactive session to have access to the windowstation & desktop.

So far, all of this is very common and there's nothing tricky.

Now, when the wntRunAsUser() function is called to create a primary access token to perform impersonation in an interactive session, this same sort of DACL manipulation is performed in the extender. The same sort of thing happens when the "Run As..." functionalilty is used in Win2K/XP, and the actual work is done via the CreateProcessWithLogon() Win32 API function. This same API function is used by the RunWithLogon() function in WinBatch.

The tricky part is now here.... On WinXP, the WINLOGON.EXE program has been modified so that it now completely resets the DACL on the windowstation & desktop at the time an interactive session starts and when the interactive session ends. The goal is to keep the DACL & SD from getting to large, which happens when they are polluted with ACEs that are no longer needed and which have not been properly cleaned up by the applications that created them in the first place.

The net result of this change in behavior is that if any impersonation is being done by a service that interacts with the desktop then the ACEs that were placed in the DACL for the impersonation logon session SID [or for any other SID] will be stripped from the DACL. This, in turn, can result in loss of access to the windowstation & desktop by the process that is currently impersonating another user.

In practice, We don't know how often this problem will occur. The thread of discussion that We found involved 3 different people in Germany all encountering the same problem at the same time, with each of them working for different companies. All of them had software that ran as native services and which performed impersonation while needing to interact with the desktop. It may just be a funny coincidence, but none the less it has happened and thus there was a discussion about it on Usenet.

The recommended solution is to set up a separate thread that sits & waits for a special event to be signaled with happens whenever the active desktop changes. Since a logon results in changing from "winsta0\winlogon" to "winstat0\default", and a logout reverses the process, it is possible to use the signaling of this event as a means of determining that it is necessary to re-apply your customized ACEs in the DACL of the windowstation & desktop.

There seems to be an increasing # of scripts being run as native NT services so I'm thinking that sometime soon we should see the symptoms of this problem mentioned.

As it pertains to the NT extender, We are considering implementing the "fix" that allows for the desktop change to be noticed and handled appropriately. There's already some code in the NT extender that handles special-purpose multi-threaded tasks anyway, so that could be expanded upon to enhance the wntRunAsUser() function so that it detects active desktop changes and re-applies the ACEs to the DACL of the windowstation & desktop as necessary on WinXP systems.

---

Article ID:   W16533

File Created: 2005:02:18:12:21:18

Last Updated: 2005:02:18:12:21:18