Can't impersonate a logged on user.

[Ken Varn]

I have an application that I wrote that is trying to impersonate another
user. The application is run under an account with Administrator rights,
but when it tries to make a call to impersonate another user, I get "A
required privilege is not held by the client." I have read a couple of
articles on this with Windows 2000. Some have suggested setting the user
account privilege for administrator to "Act as part of operating system."
Is this the only way to correct this problem in Windows 2000? I hate to
open the security settings up like this, so I was wondering if there were
any other options besides doing this.


--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

 

[Steven L Umbach]

Hi Ken.

I am not a developer or programmer so I can not answer your question for
certain and maybe someone else will but take a look at the KB article below
on the user right for Impersonate a client after authentication that is
available in Windows 2000 SP4 which by default would include administrators
group but I don't know if you are using SP4 or if user rights have been
changed from default. Also try enabling auditing of privilege user for
failure in Local Security policy and then look to see if there are failure
events for privilege user after you get the error message [user rights]
which may then tell you what user right is needed. You may need to reboot
the computer after changing the auditing settings in Local Security Policy
if the local and effective settings do not match on a non domain
omputer. --- Steve

http://support.microsoft.com/default.aspx?kbid=821546

 

[Ken Varn]

Thanks for replying Steve.

I am using SP4 in Windows 2000 Pro.

I looked into this article, but it does not seem to be working. I am not
sure why. The article sure seems like it should work. I still get this
error when I try to impersonate. So far, the only way I can get it to work
is to have the Administrators group in the "Act as part of Operating System"
rights.

I enabled the audit checks and there are no failures reported. Very
strange.

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

Hi Ken.

I am not a developer or programmer so I can not answer your question for
certain and maybe someone else will but take a look at the KB article below
on the user right for Impersonate a client after authentication that is
available in Windows 2000 SP4 which by default would include administrators
group but I don't know if you are using SP4 or if user rights have been
changed from default. Also try enabling auditing of privilege user for
failure in Local Security policy and then look to see if there are failure
events for privilege user after you get the error message [user rights]
which may then tell you what user right is needed. You may need to reboot
the computer after changing the auditing settings in Local Security Policy
if the local and effective settings do not match on a non domain
omputer. --- Steve

http://support.microsoft.com/default.aspx?kbid=821546

 

[Steven L Umbach]

Hi Ken.

I wish I could help more but it is out of my area of expertise. Interesting
that no failures show for privilege use and make sure that the local and
effective settings show the same for auditing of privilege use in Local
Security Policy which may require a reboot. You might also want to post in
the Microsoft.public.platformsdk.security newsgroup and check back here
periodically as someone else may have an answer or point you in the right
direction. If you can not find Microsoft.public.platformsdk.security with
your current newsgroup server create a new account on your newsgroup program
[Outlook Express, etc] and use news.microsoft.com as the server. --- Steve

Thanks for replying Steve.

I am using SP4 in Windows 2000 Pro.

I looked into this article, but it does not seem to be working. I am not
sure why. The article sure seems like it should work. I still get this
error when I try to impersonate. So far, the only way I can get it to
work
is to have the Administrators group in the "Act as part of Operating
System"
rights.

I enabled the audit checks and there are no failures reported. Very
strange.

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

Hi Ken.

I am not a developer or programmer so I can not answer your question for
certain and maybe someone else will but take a look at the KB article below
on the user right for Impersonate a client after authentication that is
available in Windows 2000 SP4 which by default would include administrators
group but I don't know if you are using SP4 or if user rights have been
changed from default. Also try enabling auditing of privilege user for
failure in Local Security policy and then look to see if there are
failure
events for privilege user after you get the error message [user rights]
which may then tell you what user right is needed. You may need to reboot
the computer after changing the auditing settings in Local Security
Policy
if the local and effective settings do not match on a non domain
omputer. --- Steve

http://support.microsoft.com/default.aspx?kbid=821546

I have an application that I wrote that is trying to impersonate another
user. The application is run under an account with Administrator rights,
but when it tries to make a call to impersonate another user, I get "A
required privilege is not held by the client." I have read a couple of
articles on this with Windows 2000. Some have suggested setting the user
account privilege for administrator to "Act as part of operating system."
Is this the only way to correct this problem in Windows 2000? I hate
to
open the security settings up like this, so I was wondering if there were
any other options besides doing this.


--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com