cepacs Posted November 10, 2008 Share Posted November 10, 2008 I have a VB program that will change a specific user from a Power User to an Administrator so our support people can make necessary changes. The only problem is, the person needs to log off and back in for the change to take affect. I notice this too if the user is in the Admin group and I remove the user from that group, add them to power users. I have to log off for the change to take affect and that's using Microsofts GUI.I tried stopping and relaunching explorer.exe, but that didn't work. Any ideas how I can make the change take affect without logging off and back on?Thanks! Link to comment Share on other sites More sharing options...
cluberti Posted November 10, 2008 Share Posted November 10, 2008 Considering your security access token(s) is/are granted during logon (and during logon only), what you want to do is not possible. You need the user to log off and back on to get their security token(s) changes. Link to comment Share on other sites More sharing options...
cepacs Posted November 11, 2008 Author Share Posted November 11, 2008 Considering your security access token(s) is/are granted during logon (and during logon only), what you want to do is not possible. You need the user to log off and back on to get their security token(s) changes.Thanks for the info! Link to comment Share on other sites More sharing options...
Tripredacus Posted November 11, 2008 Share Posted November 11, 2008 This isn't necessarily true. There are certain aspects of AD that will apply without a reboot. Perhaps it isn't supposed to do that, but some permissions do not require a reboot. An example would be to change a user into the Remote Desktop group without a logoff, it will allow the user to logon to Remote Desktop if previously disabled. Link to comment Share on other sites More sharing options...
cluberti Posted November 11, 2008 Share Posted November 11, 2008 This isn't necessarily true. There are certain aspects of AD that will apply without a reboot. Perhaps it isn't supposed to do that, but some permissions do not require a reboot. An example would be to change a user into the Remote Desktop group without a logoff, it will allow the user to logon to Remote Desktop if previously disabled.Right - some group changes do not, but security access changes (RDP isn't a security acl, it's a right) do. Link to comment Share on other sites More sharing options...
cepacs Posted November 12, 2008 Author Share Posted November 12, 2008 Ok, what about the code at the bottom of this link? This uses a function call AdjustTokenPrivileges(). This function seems to change the rights within the token and I'm guessing (the key word being 'guessing') without needing to log back in as the user. Here's my guess, I could use this function to give the right "Act as part of the operating system." From what I understand (and correct me if I'm wrong), this right gives complete control over the OS. Any thoughts on this idea?http://www.tenouk.com/ModuleI2.html (code is at bottom of page) Link to comment Share on other sites More sharing options...
cluberti Posted November 12, 2008 Share Posted November 12, 2008 AdjustTokenPrivilegesFrom MSDN:The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function. Link to comment Share on other sites More sharing options...
cepacs Posted November 14, 2008 Author Share Posted November 14, 2008 (edited) AdjustTokenPrivilegesFrom MSDN:The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.In the Users Rights Assignment, they are either given to a user or group, or not given. They cannot be enabled, disabled, or not set (like some security options can be). A user either has the assignment or does not have it. Therefore, if you had to be assigned that right first, then you would never be able to enabled it. I'm guessing all the Users Rights Assignments listed are part of the token, whether disabled or enabled. Otherwise I don't think you would ever be able to enable a Users Rights Assignment. Edited November 14, 2008 by cepacs Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now