LogonUser and remote change of password?

LogonUser and remote change of password?: Posted by Sten Westerback on February 10th, 2004; Hi

I'm making a tool that would change the password on a remote
computer automatically. The problem now is that
NetUserChangePassword() fails with GetLastError() returning 2245
"The password you specified is not long enough". There is however
no such restrictions when changing the password manually.

It seems like the change succeeds randomly so i though it would
give the user a chance to enter other credentials. Thus i try this code:

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_WRITE /*
TOKEN_ADJUST_PRIVILEGES */, &htoken)) return FALSE;
tp.PrivilegeCount=1; tp.Privileges->Attributes=SE_PRIVILEGE_ENABLED;
if (!LookupPrivilegeValue(g_szPCname, SE_TCB_NAME, &tp.Privileges->Luid))
return FALSE;
b=AdjustTokenPrivileges(htoken, FALSE, &tp, 0, NULL, NULL);
if (!LookupPrivilegeValue(g_szPCname, SE_CREATE_TOKEN_NAME,
&tp.Privileges->Luid)) return FALSE;
b=AdjustTokenPrivileges(htoken, FALSE, &tp, 0, NULL, NULL);
if (!LookupPrivilegeValue(g_szPCname, SE_ASSIGNPRIMARYTOKEN_NAME,
&tp.Privileges->Luid)) return FALSE;
b=AdjustTokenPrivileges(htoken, FALSE, &tp, 0, NULL, NULL);
if (!LookupPrivilegeValue(g_szPCname, SE_ENABLE_DELEGATION_NAME,
&tp.Privileges->Luid)) return FALSE;
b=AdjustTokenPrivileges(htoken, FALSE, &tp, 0, NULL, NULL);
if (!LookupPrivilegeValue(g_szPCname, SE_SECURITY_NAME,
&tp.Privileges->Luid)) return FALSE;
b=AdjustTokenPrivileges(htoken, FALSE, &tp, 0, NULL, NULL);

CloseHandle(htoken); htoken=INVALID_HANDLE_VALUE;
if (!b) return FALSE;
if (LogonUser(g_szWebUser, "NOE", g_szWebPW, LOGON32_LOGON_NETWORK /*
LOGON32_LOGON_INTERACTIVE */,
LOGON32_PROVIDER_DEFAULT, &htoken))
{ ImpersonateLoggedOnUser(htoken); return TRUE; }
dw=GetLastError();

This code fails at the LogonUser() line returning 1314
ERROR_PRIVILEGE_NOT_HELD
Does this mean that i don't have the SE_TCB_NAME privilege?
I have also tried with NULL as the first parameter to
LookupPrivilegeValue().

Also, does NetUserChangePassword() really support both "computername"
and "\\\\computername" as the first parameter? The \\\\ -prefixed variant
can
be found in the help output of the sample code but the API documentation
just talks about null-terminated Unicode string. Here is my current code:

sprintf(sz, "\\\\%s", p_szPCname);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, sz, -1, szPCname,
sizeof(szPCname));
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, g_szOldPW, -1, szOldPW,
sizeof(szOldPW));
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, p_szPassword, -1, szNewPW,
sizeof(szNewPW));
nas=NetUserChangePassword(szPCname, L"SvcAccount", szOldPW, szNewPW);

If you also know how to set the password without knowing the
old password (as MMC plugin does) that would be great.

- Sten; Posted by Gernot Frisch on February 10th, 2004; I don't imply anything here, but this would be a nice feature for a
next gerneration virus, wouldn't it?

Imagine a virus, that uses another bug and sends itself over IP
addresses, changing your password and leave a service that spreads the
virus while you try to enter your password desperately...

-Gernot.; Posted by Sten Westerback on February 10th, 2004; "Gernot Frisch" <Me@Privacy.net> wrote in message
news:c0ancf$14ehs8$1@ID-37212.news.uni-berlin.de...
But that's what the creditials and token of the logged on user
is there for - to protect agains missuse. Or do you imply that a
hacker wouldn't be able to force MMC to change the password
for him if (s)he gets the credentials of an member of the
Administrators group?

Any ideas on the problem at hand?

- Sten; Posted by Richard Ward on February 11th, 2004; Bunch of issues below. First, you don't get privileges by wishing.
You have to assign them through local policy first, and then try
to enable them. For example, no account is assigned SeCreateTokenPrivilege
by default. Second, read the documentation for AdjustTokenPrivileges
carefully.
http://msdn.microsoft.com/library/de...privileges.asp
You must check the value of GetLastError().

Third, LOGON32_LOGON_NETWORK does not preserve the
credentials for connection to another machine. So, your next call to
NetUserChangePassword would not do quite what you expected.
NetUserSetInfo() allows you to set a password administratively.

The root problem that you are describing is that the length of the
password does not meet the minimum length required. That is
enforced on a change, but not generally on a set (since set is
an administrative operation).

"Sten Westerback" <sten.westerback@NO_SPAMnokia.com> wrote in message
news:Il2Wb.9013$g4.184571@news2.nokia.com...

Similar Posts

MCE remote does not change channels, only the STB can change them... (Windows Media Center Edition) by cbrooker
Password change not working for default password in cisco aironet 1200 (Routers) by Deepak K
LogonUser not updating all access tokens (Development Resources) by Graham Rowbottom
LogonUser failing under WinXP, not Win2K (Development Resources) by Mike
LogonUser and LOGON32_LOGON_NETWORK_CLEARTEXT (Development Resources) by Eric