Enumerating the current user's privileges (GetTokenInformation API)

Hi all,

I need to list all the privileges (and if they are enabled/disabled)
for a specific user.
I checked MSDN but I don't manage to make it work.
Can anyone help me out please ?
Maybe someone has an example (VB, C++, ?) ?

Thanks,
Marc.

chris
Thu Dec 23 09:53:02 CST 2004

When you say list all the privileges for a user, do you mean on the file
system or from a system/GPO perspective such as create page file, access this
computer from the network etc. There are lots of utilites out there that do
this such as Xcalcs, NTrights, accessenum etc. The resource kit has some
good ones, as does sysinternals. and sysinternals will also provide the
source code

"Schmidtmayer Marc" wrote:

> Hi all,
>
> I need to list all the privileges (and if they are enabled/disabled)
> for a specific user.
> I checked MSDN but I don't manage to make it work.
> Can anyone help me out please ?
> Maybe someone has an example (VB, C++, â?¦) ?
>
> Thanks,
> Marc.
>

marc
Fri Dec 24 01:48:21 CST 2004


Chris Geier wrote:
> When you say list all the privileges for a user, do you mean on the
file
> system or from a system/GPO perspective such as create page file,
access this
> computer from the network etc. There are lots of utilites out there
that do
> this such as Xcalcs, NTrights, accessenum etc. The resource kit has
some
> good ones, as does sysinternals. and sysinternals will also provide
the
> source code
>
> "Schmidtmayer Marc" wrote:
>
> > Hi all,
> >
> > I need to list all the privileges (and if they are
enabled/disabled)
> > for a specific user.
> > I checked MSDN but I don't manage to make it work.
> > Can anyone help me out please ?
> > Maybe someone has an example (VB, C++, ...) ?
> >
> > Thanks,
> > Marc.
> >

marc
Fri Dec 24 01:49:22 CST 2004


Well, I've written an application which mabnages users and uses an OCX
to set rights on folders and shares.
But I've a problem : all works fine when it runs under the context of
user 's_admin' (which is an administrator with all possible rights) but
not under the which is deticated/created for doing this.
I get the following error : "A required privilege is not held by the
client".
I looked at the problem here with the sysadmin but we can't find the
problem.
That's why I like to list the priviliges at runtime for both users.
That way, I hope to see which privilege causes the problem ...
Thanks !
Marc.

Ivan
Fri Dec 24 12:58:17 CST 2004

Once you have a Token to an security principal,
you can use GetTokenInformation(TokenPrivileges) to check which pirivileges
are present in the Token and which ones are enabled.

As far as debugging your problem goes,
you should narrow down the API that fails with Privilege-Not-Held.
Then, the documentation of that API should tell which privilege is required
to carry on the task.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


<marc.schmidtmayer@gb.be> wrote in message
news:1103874562.089025.183400@z14g2000cwz.googlegroups.com...
>
> Well, I've written an application which mabnages users and uses an OCX
> to set rights on folders and shares.
> But I've a problem : all works fine when it runs under the context of
> user 's_admin' (which is an administrator with all possible rights) but
> not under the which is deticated/created for doing this.
> I get the following error : "A required privilege is not held by the
> client".
> I looked at the problem here with the sysadmin but we can't find the
> problem.
> That's why I like to list the priviliges at runtime for both users.
> That way, I hope to see which privilege causes the problem ...
> Thanks !
> Marc.
>

Joe
Sun Jun 18 08:37:23 CDT 2006

It general you will find more folks will help out if you post the
briefest snippet of code you have that demonstrates the issue you are
having with it.

Also make sure you check the platform SDK (offline and online) for code
examples.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Schmidtmayer Marc wrote:
> Hi all,
>
> I need to list all the privileges (and if they are enabled/disabled)
> for a specific user.
> I checked MSDN but I don't manage to make it work.
> Can anyone help me out please ?
> Maybe someone has an example (VB, C++, ?) ?
>
> Thanks,
> Marc.

=?windows-1252?Q?Grzegorz_Wr=F3bel?=
Mon Jun 19 02:25:31 CDT 2006

1. He doesn't have any code snippet to show, he asked for it.
2. This thread has been started in 2004, where did you dig out the original message from?

Joe Richards [MVP] wrote:

> It general you will find more folks will help out if you post the
> briefest snippet of code you have that demonstrates the issue you are
> having with it.
>
> Also make sure you check the platform SDK (offline and online) for code
> examples.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
>
> Schmidtmayer Marc wrote:
>
>> Hi all,
>>
>> I need to list all the privileges (and if they are enabled/disabled)
>> for a specific user.
>> I checked MSDN but I don't manage to make it work.
>> Can anyone help me out please ?
>> Maybe someone has an example (VB, C++, ?) ?
>>
>> Thanks,
>> Marc.

--
677265676F727940346E6575726F6E732E636F6D

Frank
Mon Jun 19 06:45:29 CDT 2006

"Grzegorz Wróbel" </dev/null@localhost.localdomain> wrote in message
news:e75iot$1lg$1@nemesis.news.tpi.pl...
> 1. He doesn't have any code snippet to show, he asked for it.
> 2. This thread has been started in 2004, where did you dig out the
> original message from?


Marc's post is dated 2006 and does not have a references header.
So he just happened to use a title someone used in 2004. So what?

--
Frank Saunders, MS-MVP OE/WM
Reply in newsgroup
"They who would give up an essential liberty for temporary security, deserve
neither liberty or security"

=?windows-1252?Q?Grzegorz_Wr=F3bel?=
Mon Jun 19 07:50:49 CDT 2006

Frank Saunders, MS-MVP OE wrote:

> "Grzegorz Wróbel" </dev/null@localhost.localdomain> wrote in message
> news:e75iot$1lg$1@nemesis.news.tpi.pl...
>
>> 1. He doesn't have any code snippet to show, he asked for it.
>> 2. This thread has been started in 2004, where did you dig out the
>> original message from?
>
>
>
> Marc's post is dated 2006 and does not have a references header.
> So he just happened to use a title someone used in 2004. So what?
>

I haven't found Marc's post on my newsserver at all, only your reply. Searching the google groups I found it with the date of december 2004 and it has exactly the same body as the one you have quoted. Also, according to google, he got 5 replies in 2004. Your reply is the 6th one and is the first one dated 2006.

http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/7b8e5644c72b4206/64e40be2be63996d?lnk=st&q=Enumerating+the+current+user's+privileges+(GetTokenInformation+++API)&rnum=1&hl=en

--
677265676F727940346E6575726F6E732E636F6D

=?windows-1252?Q?Grzegorz_Wr=F3bel?=
Mon Jun 19 07:58:22 CDT 2006

I'm sorry Frank, where I reffered to you in my last post I meant Joe of course.
--
677265676F727940346E6575726F6E732E636F6D

=?ISO-8859-1?Q?Grzegorz_Wr=F3bel?=
Mon Jun 19 08:32:44 CDT 2006

Pasted from Google
>Well, I've written an application which mabnages users and uses an OCX
>to set rights on folders and shares.
>But I've a problem : all works fine when it runs under the context of
>user 's_admin' (which is an administrator with all possible rights) but
>not under the which is deticated/created for doing this.
>I get the following error : "A required privilege is not held by the
>client".
>I looked at the problem here with the sysadmin but we can't find the
>problem.
>That's why I like to list the priviliges at runtime for both users.
>That way, I hope to see which privilege causes the problem ...
>Thanks !
>Marc.

Anyway, in case it is still actual (I'm really not sure) I wrote similar procedure some time ago for debugging purposes:

It's ugly because it drawes messages directly to window DC (I was debugging winlogon screensaver!), but you can just replace wsprintf with printf and get rid of GDI function calls and variables:

void ShowPrivileges(HDC hDC)
{
OSVERSIONINFO osinfo;
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
TOKEN_PRIVILEGES* ptkp=NULL;
char mytext[256];
char name[256];
SIZE fontsize;
DWORD lenght;
int x = GetSystemMetrics(SM_CXFULLSCREEN);

osinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osinfo);
if(osinfo.dwPlatformId==VER_PLATFORM_WIN32_NT){
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
wsprintf(mytext,"OpenProcessToken() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,600,150,mytext,strlen(mytext));
return;
}

GetTokenInformation(hToken,TokenPrivileges,ptkp,0,&lenght);
ptkp = (TOKEN_PRIVILEGES*) new char[lenght];
if(GetTokenInformation(hToken,TokenPrivileges,ptkp,lenght,&lenght)==0){
wsprintf(mytext,"GetTokenInformation() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy,mytext,strlen(mytext));
}
else{
for(int i=0;i<ptkp->PrivilegeCount;i++){
lenght=256;
LookupPrivilegeName(NULL,&(ptkp->Privileges[i].Luid),name,&lenght);
wsprintf(mytext,"%s = %u",name,ptkp->Privileges[i].Attributes);
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy+i*fontsize.cy,mytext,strlen(mytext));
}
}
delete[] ptkp;
}
}

Each displayed privilege is held and depending on the value it is:
0 - privilege not enabled
2 - priviledge is enabled
3 - priviledge is enabled by default (1+2)

Also you can get rid of TOKEN_ADJUST_PRIVILEGES flag in call to OpenProcessToken() if you're not going to adjust any.

--
677265676F727940346E6575726F6E732E636F6D

Alexander
Mon Jun 19 09:43:27 CDT 2006

It seems that some misconfigured NNTP server reposts really old threads.

"Frank Saunders, MS-MVP OE" <franksaunders@mvps.org> wrote in message
news:%23VB5mY5kGHA.4596@TK2MSFTNGP02.phx.gbl...
> "Grzegorz Wróbel" </dev/null@localhost.localdomain> wrote in message
> news:e75iot$1lg$1@nemesis.news.tpi.pl...
>> 1. He doesn't have any code snippet to show, he asked for it.
>> 2. This thread has been started in 2004, where did you dig out the
>> original message from?
>
>
> Marc's post is dated 2006 and does not have a references header.
> So he just happened to use a title someone used in 2004. So what?
>
> --
> Frank Saunders, MS-MVP OE/WM
> Reply in newsgroup
> "They who would give up an essential liberty for temporary security,
> deserve neither liberty or security"
>
>

Joe
Mon Jun 19 12:48:13 CDT 2006

1. Yes he does, he wrote "checked MSDN but I don't manage to make it
work.". Obviously he has tried something. I am simply asking what did he
try and how did it fail. The failure could be in all sorts of areas,
some of which have nothing to do with the actual API call itself.
Posting a snippet that is condensed down to the issue point helps
illuminate the capability of the poster as well which can help ascertain
a problem.

2. It is listed on news.microsoft.com as brand new.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Grzegorz Wróbel wrote:
> 1. He doesn't have any code snippet to show, he asked for it.
> 2. This thread has been started in 2004, where did you dig out the
> original message from?
>
> Joe Richards [MVP] wrote:
>
>> It general you will find more folks will help out if you post the
>> briefest snippet of code you have that demonstrates the issue you are
>> having with it.
>>
>> Also make sure you check the platform SDK (offline and online) for
>> code examples.
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> Author of O'Reilly Active Directory Third Edition
>> www.joeware.net
>>
>>
>> ---O'Reilly Active Directory Third Edition now available---
>>
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> Schmidtmayer Marc wrote:
>>
>>> Hi all,
>>>
>>> I need to list all the privileges (and if they are enabled/disabled)
>>> for a specific user.
>>> I checked MSDN but I don't manage to make it work.
>>> Can anyone help me out please ?
>>> Maybe someone has an example (VB, C++, ?) ?
>>>
>>> Thanks,
>>> Marc.
>

Joe
Mon Jun 19 12:48:18 CDT 2006

It is on the Microsoft server which is about as authoritative as it gets
for the Microsoft newsgroups and shows a post date of 6/18/2005. There
were no responses listed.

Possibly I should scan every bit of the header and then google for every
post I intend to respond to to make sure that it isn't an old post that
has come back so as not to annoy you.

Hmm nah, I respond to thousands of post and don't care all that much if
you get annoyed. I will have to depend on you to keep your chin up if I
happen to respond to something that the server shows as new that
actually isn't.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Grzegorz Wróbel wrote:
>
> I haven't found Marc's post on my newsserver at all, only your reply.
> Searching the google groups I found it with the date of december 2004
> and it has exactly the same body as the one you have quoted. Also,
> according to google, he got 5 replies in 2004. Your reply is the 6th one
> and is the first one dated 2006.
>
> http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/7b8e5644c72b4206/64e40be2be63996d?lnk=st&q=Enumerating+the+current+user's+privileges+(GetTokenInformation+++API)&rnum=1&hl=en
>
>

=?ISO-8859-1?Q?Grzegorz_Wr=F3bel?=
Mon Jun 19 14:09:25 CDT 2006

I'm not reading this on microsoft newsgroup, nor I get annoyed seeing your reply after 1.5 year. Surprised maybe.

Joe Richards [MVP] wrote:
> It is on the Microsoft server which is about as authoritative as it gets
> for the Microsoft newsgroups and shows a post date of 6/18/2005. There
> were no responses listed.
>
> Possibly I should scan every bit of the header and then google for every
> post I intend to respond to to make sure that it isn't an old post that
> has come back so as not to annoy you.
>
> Hmm nah, I respond to thousands of post and don't care all that much if
> you get annoyed. I will have to depend on you to keep your chin up if I
> happen to respond to something that the server shows as new that
> actually isn't.
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
>
> Grzegorz Wróbel wrote:
>
>>
>> I haven't found Marc's post on my newsserver at all, only your reply.
>> Searching the google groups I found it with the date of december 2004
>> and it has exactly the same body as the one you have quoted. Also,
>> according to google, he got 5 replies in 2004. Your reply is the 6th
>> one and is the first one dated 2006.
>>
>> http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/7b8e5644c72b4206/64e40be2be63996d?lnk=st&q=Enumerating+the+current+user's+privileges+(GetTokenInformation+++API)&rnum=1&hl=en
>>
>>

--
677265676F727940346E6575726F6E732E636F6D

Bob
Mon Jun 19 14:17:45 CDT 2006

Joe Richards [MVP] wrote:
> It is on the Microsoft server which is about as authoritative as it gets
> for the Microsoft newsgroups and shows a post date of 6/18/2005. There
> were no responses listed.

some dumb software, apparently on NNTP-Posting-Host: 86.20.171.138
has been copying a few ancient threads back to msnews recently.
Recently, in this case, being Date: Sun, 18 Jun 2006 04:05:22 GMT

interestingly, it also inserts this unusual header:
X-Received-Date: Wed, 22 Dec 2004 12:33:04 GMT (newsbetxt1-gui.ntli.net)


I can't figure out where you got that *2005* date, but I guess it really doesn't matter.




Bob
--

Joe
Mon Jun 19 15:46:41 CDT 2006

Ah I typoed, should have been 6/18/2006. Maybe wishful thinking to make
myself a year younger. :)

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Bob O`Bob wrote:
> Joe Richards [MVP] wrote:
>> It is on the Microsoft server which is about as authoritative as it
>> gets for the Microsoft newsgroups and shows a post date of 6/18/2005.
>> There were no responses listed.
>
> some dumb software, apparently on NNTP-Posting-Host: 86.20.171.138
> has been copying a few ancient threads back to msnews recently.
> Recently, in this case, being Date: Sun, 18 Jun 2006 04:05:22 GMT
>
> interestingly, it also inserts this unusual header:
> X-Received-Date: Wed, 22 Dec 2004 12:33:04 GMT (newsbetxt1-gui.ntli.net)
>
>
> I can't figure out where you got that *2005* date, but I guess it really
> doesn't matter.
>
>
>
>
> Bob