开发者

Refresh current user profile

开发者 https://www.devze.com 2023-03-27 01:32 出处:网络
... I want to grant a user temporary administrator privileges via a c# tool. Therefore i add the user to the administrator user group (a background service running under a priviledged service account

... I want to grant a user temporary administrator privileges via a c# tool. Therefore i add the user to the administrator user group (a background service running under a priviledged service account does this job). However the changes take effect only in new sessions (after Logout/Re-Login) which is inconvenient. Is there a way to refresh the current user profile?

I tried several ways:

  • via .net Process.Start with the LoadUserProfile property set to true.
  • The next 开发者_如何转开发try was via the LoadUserProfile Win32 Api function.
  • Another way was to impersonate the user with .net Impersonation

All these tries did not recognize the privilege changes. It seems to me that there is a cached user profile which contains the old privileges and is reloaded anytime.

The only way where a new profile was loaded is the runas command, however we do not want the user to play around with the command line, it should be possible to do this from .net

Would be great if there is another option? Maybe there is a tool which can do this?


Ok, I relog-in the user and then I use the new Token in combination with e.g. CreateProcessAsUser to run a new process using the new token. Is there a way to assign the current windows environment the new token and therefore all actions the user performs in windows use this new token? Otherwise I could use some other tools like lsrunas to open a process in a new context and avoid the winapi calls.

From our perspective we trust the user (it is his private notebook), he can install the software he wants (for a temporary time), but we document each installation with our tool. We are running a service with local admin account in background which manages the group assignment and system documentation.


When logging on to Windows a security token is created, where all group memberships (including nested memberships) are resolved. The token contains a list of SIDs (Security Identifiers) that the user belongs to. The first SID is the user's own ID and then any groups and roles (such as interactive log on, everyone etc) are included. This means that group membership doesn not have to be looked up against the user DB - possibly an Active Directory Server - each time an access control is done. Instead the ACL (Access Control List) of the object (e.g. a file) is checked against the token.

To refresh the group membership you need to have a new token created. Either you can log out and then log in again as you describe it, or you have to do another login with LogonUser for the same user. That function is not accessible for normal user however.

I think that it all boils down to finding another design. Adding and removing a user from the admin group dynamically looks strange from a security perspective. Is there any other way you can give the user access to the resources needed? Can you do the actual work from within a Windows Service that runs under the LocalSystem account?

0

精彩评论

暂无评论...
验证码 换一张
取 消