Win32Api function LogonAsUser problems

[bri189a]

I'm trying to write a program for work; because of our security policies it will need to run as a domain administrator. I plan to take the token created here and use it to start a new process that will run the 'main' program that needs the administrator privlidges. The username and password I type are valid and are domain admins, I always get ERROR_PRIVELDGE_NOT_HELD no matter with dwLogonType I use... keeping in mind that LOGON32_LOGON_NETWORK doesn't require the SE_TCB_NAME privledge (so I shouldn't get that error!). What am I doing wrong? I've never had to enumerate a token, adjust a token, or pretty much work with tokens in the past and I'm getting quite frustrated with the whole process. MSDN has resulted in nothing but more frustration. FYI, this program will run on NT4 and 2000 computers. Somebody who knows this stuff please help!

 

Code (snippets):

static extern Int32 LogonUser (string lpszUsername, string lpszDomain, string lpszPassword, Int32 dwLogonType, Int32 dwLogonProvider, Int32 phToken);

[DllImport("kernel32.dll")]

static extern Int32 CloseHandle (Int32 hObject);

const Int32 LOGON32_LOGON_INTERACTIVE = 2;

const Int32 LOGON32_LOGON_BATCH = 4;

const Int32 LOGON32_PROVIDER_DEFAULT = 0;

const Int32 LOGON32_LOGON_NETWORK = 3;

const Int32 LOGON32_LOGON_SERVICE = 5;

........................

in Main():

 

ret = LogonUser("username", "domainname", "apwd", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, pUser);

if(ret==0)

Console.WriteLine("LogonUser Failed! with error {0}", GetLastError());

ret = CloseHandle(pUser);

[Derek Stone]

Have you attempted to run the program using the Windows RunAs Service? Try that to see if the operation is allowed in the first place.

 

Right-click the program shortcut | Select "Properties" | Check "Run as different user" | Launch shortcut

 

Also try your code using a less-privileged local user account to see if the issue is the result of domain-level security restrictions.

[bri189a]

Yes, I should've mentioned earlier that I already tried both of those; I can do run as, and I have tried using a local (to the machine) account and nothing seems to work. I did research that my machines effective settings do not allow anyone to run as service, batch, etc... so I disconnected from my network, rebooted (so the only effective settings were local settings) which I had allowed my test user name to run as service, batch, etc... and still, same error. I know people do things like this all the time and I just can't seem to get it to work. Let me know if you can think of anything else. Thanks.