Saturday, February 12, 2011

Impersonation MFC C++

Hi,

I want to impersonate other user in windows, for example: I create a directory with permission only for user A and for the administrators, when logon with user B and run .exe I want to impersonate user A to have permission to edit/remove/insert in that specific directory. How can I do it?

I found this: http://msdn.microsoft.com/en-us/library/aa374731(VS.85).aspx

Thanks for the help!

Filipe Araújo

From stackoverflow $pageUsers[$entry.posts[0].author].name

  • As a start, check out this article on windows user impersonation:

    http://www.codeproject.com/KB/system/UserImpersonation.aspx

    It should give you a place to start. If you need more controll you will need to look into Access Tokens.

    kenny : I've done this and it works.
    From QAZ

  • I've already went to that site and didn't help because what I want it's to have the permissions of user A in user B and if you see the article it's more appropriated to create an .exe that calls the logon/login window and "physically" you are the user B and that's not what I want. What I want is to run the .exe(create in vs2008 MFC C++) in user B and gain the permissions of user A and within the .exe I can access the directories of the user A.

    Thanks.

    Filipe Araújo

    From $pageUsers[$post.author].name

  • If you want access to the folders of User A and the folders of User B, then you just need to setup folder permissions in such a way that administrators have permissions to get into all the folders. Normally machine administrators already have those rights. I am assuming here that are talking about normal windows user accounts, and normal machine/domain administrator accounts.

    If you want to become User A its means you need User A's active permission to become that person. Impersonation is not simple (from what I have tried), you need to request access through your domain controller and negotiate that you are User B and that you have the rights to impersonate User A, generally that is done by User A and User B sharing and negotiating Credential Handles and Security Contexts. I doubt this is the type of process you're looking to follow.

    Some useful functions would include:

    To setup the context these are used and data is passed backwards and forwards between User A and User B to negotiate the impersonation

    AcquireCredentialsHandle()
InitializeSecurityContext()
AcceptSecurityContext()
CompleteAuthToken()

    Once the negotiations are complete and a security context has been created, these are used to start and stop the impersonation.

    ImpersonateSecurityContext()
RevertContext()

    I don't know of any other way to impersonate a user without the active participation of the user in question, or actively logging on as that user.

    Hope this helps in some way.

    From brianb
Posted by Mu Cat at 10:36 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)