Geek Answers Handbook

LsaEnumerateAccountRights always returns "File not found"

I call the Advapi32.dll function LsaEnumerateAccountRights that has a policy descriptor from LsaOpenPolicy and an account SID from LookupAccountName.

However, try as I could, I always return 0xC0000034, which after translating LsaNtStatusToWinError gives me: "Linked file not found."

It's not very good. My code handles this and continues to provide the SID of the SeServiceLogonRight account with LsaAddAccountRights, so I know that the policy descriptor and SID of the account are fine, as this can pop up if something goes wrong with one of them.

The end result is that the account has the right solution, so that overall the code works.

However, I use this as part of a custom MSI action, Install checks to see if the account has the right, and if not (or it fails, as indicated above), it grants the right and remembers that it did so in the installation state. If a rollback occurs and he adds the right, he removes it. We never delete it when uninstalling, as other applications can be installed using the same domain account as the services we use.

So the problem is that MSI is rolling back - it will always delete the right, because it always considers that it has been added. Therefore, a rights check using LsaEnumerateAccountRights is used for this, but I just can't get it to work.

Any idea - note that I'm using C # with the DllImport attribute to expose Win32 functions, and I'm not the best Win32 programmer in the world who was Unix before C #!

+3
security winapi
source share
4 answers

I also struggle with this, but just hacked it ...

In retrospect, I now see that there is a key in the msdn documentation: "The accounts returned by this function contain the specified privilege directly through the user account, and not as part of group membership."

See: link text

Get the policy descriptor from LsaOpenPolicy () and the SID of the account from LookupAccountName () exactly the same as you said.

If the username you entered was the name of the group ("Users", "Administrators", etc.), then LsaEnumerateAccountRights () works fine and lists all the rights for the group.

If you call him by the name of a user whose rights go exclusively from the groups of which he is a member, then he returns 0xc0000034 (= Windows 2 error - the system cannot find the specified "file"), which means (now we understand) "cannot find individually assigned additional rights. " It seems that the Windows Error 2 translation is all that "what you were looking for was not found."

Now ... If you have ntrights.exe, run it ... for example:

ntrights + r SeNetworkLogonRight -u MyUserName

Then, LsaEnumerateAccountRights () works fine, returns without errors, and lists a single SeNetworkLogonRight right.

+7
source share

I recently ran into this problem. In my testing with this problem, it seems that calling LookupAccountName returns the security principal, not the full SID. The actual error, apparently, is that the section inside the SID, where the user rights will be, either does not exist or is reduced to the right to enter the system.

Making a LookupAccountName call to the currently logged in user, and then trying LsaEnumerateAccountRights against this SID, only results in a user login rule. Although it is clear that there are many other rights. Attempting to retrieve users other than the registered user successfully returns the SID. However, this SID will not have any user rights.

I tested this without any domain systems of workgroups and member systems of domains of both administrators and ordinary users. A call to LookupAccountName on success always returns a SID that does not contain a full set of user rights.

I can only assume that if the full SID can be obtained from the security database, then LookupAccountName will correctly enumerate the rights.

+1
source share

I have the same problem too. Someone suggested I get the SID through WMI using this request:

SELECT * FROM Win32_Account WHERE domain = 'ntdomain' AND name = 'username'

I tried using ConvertStringSidToSid() to get the magic blob LsaEnumerateAccountRights() expected and ... the same error. "The system cannot find the specified file."

0
source share

I am facing the same problem because you are not assigning spefic privledge to the user, so the user password is not empty, if you add it to it, it will not work.

Call the same function with the group, you can see that everything is working correctly.

0
source share

More articles:


All Articles