How to change group membership without logging off

[cepacs]

I have a VB program that will change a specific user from a Power User to an Administrator so our support people can make necessary changes. The only problem is, the person needs to log off and back in for the change to take affect. I notice this too if the user is in the Admin group and I remove the user from that group, add them to power users. I have to log off for the change to take affect and that's using Microsofts GUI.

I tried stopping and relaunching explorer.exe, but that didn't work. Any ideas how I can make the change take affect without logging off and back on?

Thanks!

[cluberti]

Considering your security access token(s) is/are granted during logon (and during logon only), what you want to do is not possible. You need the user to log off and back on to get their security token(s) changes.

[cepacs]

Considering your security access token(s) is/are granted during logon (and during logon only), what you want to do is not possible. You need the user to log off and back on to get their security token(s) changes.

Thanks for the info!

[Tripredacus]

This isn't necessarily true. There are certain aspects of AD that will apply without a reboot. Perhaps it isn't supposed to do that, but some permissions do not require a reboot. An example would be to change a user into the Remote Desktop group without a logoff, it will allow the user to logon to Remote Desktop if previously disabled.

[cluberti]

This isn't necessarily true. There are certain aspects of AD that will apply without a reboot. Perhaps it isn't supposed to do that, but some permissions do not require a reboot. An example would be to change a user into the Remote Desktop group without a logoff, it will allow the user to logon to Remote Desktop if previously disabled.

Right - some group changes do not, but security access changes (RDP isn't a security acl, it's a right) do.

[cepacs]

Ok, what about the code at the bottom of this link? This uses a function call AdjustTokenPrivileges(). This function seems to change the rights within the token and I'm guessing (the key word being 'guessing') without needing to log back in as the user. Here's my guess, I could use this function to give the right "Act as part of the operating system." From what I understand (and correct me if I'm wrong), this right gives complete control over the OS. Any thoughts on this idea?

http://www.tenouk.com/ModuleI2.html (code is at bottom of page)

[cluberti]

AdjustTokenPrivileges

From MSDN:

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

[cepacs]

AdjustTokenPrivileges

From MSDN:

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

In the Users Rights Assignment, they are either given to a user or group, or not given. They cannot be enabled, disabled, or not set (like some security options can be). A user either has the assignment or does not have it. Therefore, if you had to be assigned that right first, then you would never be able to enabled it. I'm guessing all the Users Rights Assignments listed are part of the token, whether disabled or enabled. Otherwise I don't think you would ever be able to enable a Users Rights Assignment.

Edited November 14, 2008 by cepacs