private void GrantUserPrivilege() { if (this.User == null) { Log.LogError("User is required"); return; } if (this.Privilege == null) { Log.LogError("Privilege is required"); return; } this.LogTaskMessage(string.Format(CultureInfo.CurrentCulture, "Granting Privilege to User: {0} - {1}", this.User[0].ItemSpec, this.Privilege)); int sidInt = 0; IntPtr sid = IntPtr.Zero; int domainNameInt = 0; int use = 0; IntPtr policyHandle = new IntPtr(); try { StringBuilder domainNameInternal = new StringBuilder(this.Domain); ActiveDirectoryNativeMethods.LookupAccountName(this.MachineName, this.User[0].ItemSpec, sid, ref sidInt, domainNameInternal, ref domainNameInt, ref use); domainNameInternal = new StringBuilder(domainNameInt); sid = Marshal.AllocHGlobal(sidInt); int returnValue = ActiveDirectoryNativeMethods.LookupAccountName(this.MachineName, this.User[0].ItemSpec, sid, ref sidInt, domainNameInternal, ref domainNameInt, ref use); if (returnValue == 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error looking up account name: {0}", returnValue)); return; } LSA_OBJECT_ATTRIBUTES objectAttributes = new LSA_OBJECT_ATTRIBUTES { Length = 0, RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero }; LSA_UNICODE_STRING machineNameLSA = CreateLsaString(this.MachineName); uint result = ActiveDirectoryNativeMethods.LsaOpenPolicy(ref machineNameLSA, ref objectAttributes, ActiveDirectoryNativeMethods.POLICY_CREATE_SECRET, out policyHandle); if (result != 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error running LsaOpenPolicy: {0}", returnValue)); return; } LSA_UNICODE_STRING privilegeString = CreateLsaString(this.Privilege); result = ActiveDirectoryNativeMethods.LsaAddAccountRights(policyHandle, sid, ref privilegeString, 1); if (result != 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error running LsaAddAccountRights: {0}", returnValue)); return; } } finally { ActiveDirectoryNativeMethods.LsaClose(policyHandle); Marshal.FreeHGlobal(sid); } }
internal static extern uint LsaOpenPolicy(ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, int DesiredAccess, out IntPtr PolicyHandle);
private void GrantUserPrivilege() { if (this.User == null) { Log.LogError("User is required"); return; } if (this.Privilege == null) { Log.LogError("Privilege is required"); return; } this.LogTaskMessage(string.Format(CultureInfo.CurrentCulture, "Granting Privilege to User: {0} - {1}", this.User[0].ItemSpec, this.Privilege)); int sidInt = 0; IntPtr sid = IntPtr.Zero; int domainNameInt = 0; int use = 0; IntPtr policyHandle = new IntPtr(); try { StringBuilder domainNameInternal = new StringBuilder(this.Domain); ActiveDirectoryNativeMethods.LookupAccountName(this.MachineName, this.User[0].ItemSpec, sid, ref sidInt, domainNameInternal, ref domainNameInt, ref use); domainNameInternal = new StringBuilder(domainNameInt); sid = Marshal.AllocHGlobal(sidInt); int returnValue = ActiveDirectoryNativeMethods.LookupAccountName(this.MachineName, this.User[0].ItemSpec, sid, ref sidInt, domainNameInternal, ref domainNameInt, ref use); if (returnValue == 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error looking up account name: {0}", returnValue)); return; } LSA_OBJECT_ATTRIBUTES objectAttributes = new LSA_OBJECT_ATTRIBUTES { Length = 0, RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero }; LSA_UNICODE_STRING machineNameLSA = CreateLsaString(this.MachineName); uint result = ActiveDirectoryNativeMethods.LsaOpenPolicy(ref machineNameLSA, ref objectAttributes, ActiveDirectoryNativeMethods.POLICY_CREATE_SECRET, out policyHandle); if (result != 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error running LsaOpenPolicy: {0}", returnValue)); return; } LSA_UNICODE_STRING privilegeString = CreateLsaString(this.Privilege); result = ActiveDirectoryNativeMethods.LsaAddAccountRights(policyHandle, sid, ref privilegeString, 1); if (result != 0) { this.Log.LogError(string.Format(CultureInfo.CurrentCulture, "Error running LsaAddAccountRights: {0}", returnValue)); } } finally { ActiveDirectoryNativeMethods.LsaClose(policyHandle); Marshal.FreeHGlobal(sid); } }