UserMgr plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
No edit summary
(added new File, ValidatePassword, GrouID lookup if in [])
 
(17 intermediate revisions by 7 users not shown)
Line 3: Line 3:
== Links ==
== Links ==
<attach>UserMgr.zip</attach>
<attach>UserMgr.zip</attach>
<attach>UserMgr (2021).zip</attach>


Find the original plugin of the author (15.8.2006) at http://www.meinberg.de/download/utils/UserMgr.zip
Find the original plugin of the author (15.8.2006) at http://www.meinberg.de/download/utils/UserMgr.zip


[http://forums.winamp.com/showthread.php?s=&threadid=209086 UserMgr thread on NSIS Discussion forum]
[http://forums.winamp.com/showthread.php?s=&threadid=209086 UserMgr thread on NSIS Discussion forum OLD]
 
[http://forums.winamp.com/showthread.php?s=&threadid=302322 UserMgr thread on NSIS Discussion forum]


== Description ==
== Description ==
Line 13: Line 16:
In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.  
In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.  


'''Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems.'''<br>
"'Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems."'<br>
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.


Line 19: Line 22:


You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.
You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.
'''Please note: NSIS v2.42 or higher is required for this plugin to run properly.'''


== Known Issues ==
== Known Issues ==
Line 24: Line 29:
: Untested on Windows 9x; structure is different, so probably not going to work.
: Untested on Windows 9x; structure is different, so probably not going to work.


: Any help in resolving these issues ([http://forums.winamp.com/member.php?&action=getinfo&userid=165633 submitting a patch], etc) is appreciated.
; Windows NT4 support
: Plug-in does not work because ConvertSidToStringSid and ConvertStringSidToSid are unavailable!
 
Any help in resolving these issues ([http://forums.winamp.com/member.php?&action=getinfo&userid=165633 submitting a patch], etc) is appreciated.




Line 30: Line 38:
Here's a list of functions the DLL exports including the necessary parameters.  
Here's a list of functions the DLL exports including the necessary parameters.  


; UserMgr<nowiki>::</nowiki>CreateAccount ''USERID PASSWORD COMMENT''
; UserMgr<nowiki>::</nowiki>CreateAccount "USERID" "PASSWORD" "COMMENT"
: creates a new user account, returns status string
: creates a new user account, returns status string


; UserMgr<nowiki>::</nowiki>CreateAccountEx ''USERID PASSWORD COMMENT FULLNAME USERCOMMENT FLAGS''
; UserMgr<nowiki>::</nowiki>CreateAccountEx "USERID" "PASSWORD" "COMMENT" "FULLNAME" "USERCOMMENT" "FLAGS"
: creates a new user account, including the Fullname (Shown in the Welcome screen), returns status string
: creates a new user account, including the Fullname (Shown in the Welcome screen), returns status string


:  where ''FLAGS'' can be one of the following:
:  where "FLAGS" can be one or more of the following, seperated by '|':
:; UF_ACCOUNTDISABLE
:; UF_ACCOUNTDISABLE
:: The user's account is disabled.
:: The user's account is disabled.
Line 49: Line 57:
:: The password will never expire on the account.
:: The password will never expire on the account.


; UserMgr<nowiki>::</nowiki>BuiltAccountEnv "USERID PASSWORD"
; UserMgr<nowiki>::</nowiki>GetCurrentUserName
: returns the username of the currently logged in user
 
; UserMgr<nowiki>::</nowiki>GetCurrentDomain
: returns the domainname of the currently logged in user
 
; UserMgr<nowiki>::</nowiki>BuiltAccountEnv "USERID" "PASSWORD"
: builds the User environment of the user (Registry hive, Documents and settings etc.), returns status string
: builds the User environment of the user (Registry hive, Documents and settings etc.), returns status string


Line 58: Line 72:
: unloads the User Registry hive, returns status string
: unloads the User Registry hive, returns status string


; UserMgr<nowiki>::</nowiki>DeleteAccount ''USERID''
; UserMgr<nowiki>::</nowiki>DeleteAccount "USERID"
: deletes a user account, returns status string
: deletes a user account, returns status string


; UserMgr<nowiki>::</nowiki>AddToGroup ''USERID GROUPID''
; UserMgr<nowiki>::</nowiki>AddToGroup "USERID" "GROUPID"
: adds a user to a group, returns status string
: adds a user to a group, returns status string


; UserMgr<nowiki>::</nowiki>RemoveFromGroup ''USERID GROUPID''
; UserMgr<nowiki>::</nowiki>RemoveFromGroup "USERID" "GROUPID"
: removes group membership from a user, returns status string
: removes group membership from a user, returns status string


; UserMgr<nowiki>::</nowiki>AddPrivilege ''USERID PRIVILEGE''
; UserMgr<nowiki>::</nowiki>IsMemberOfGroup "USERID" "GROUPID"
: returns "TRUE" if the user is a member of the specified group, else returns "FALSE"
 
; UserMgr<nowiki>::</nowiki>AddPrivilege "USERID" "PRIVILEGE"
: adds a privilege to the user account, returns status string. You can find a list of privileges below.
: adds a privilege to the user account, returns status string. You can find a list of privileges below.


; UserMgr<nowiki>::</nowiki>RemovePrivilege ''USERID PRIVILEGE''
; UserMgr<nowiki>::</nowiki>RemovePrivilege "USERID" "PRIVILEGE"
: removes a privilege from an account, returns status string. You can find a list of privileges below.
: removes a privilege from an account, returns status string. You can find a list of privileges below.


; UserMgr<nowiki>::</nowiki>CreateGroup ''GROUPID COMMENT''
; UserMgr<nowiki>::</nowiki>HasPrivilege "USERID" "PRIVILEGE"
: returns "TRUE" if the user has the specified privilege, else returns "FALSE".
 
; UserMgr<nowiki>::</nowiki>CreateGroup "GROUPID" "COMMENT"
: creates a new user group, returns status string
: creates a new user group, returns status string


; UserMgr<nowiki>::</nowiki>DeleteGroup ''GROUPID''
; UserMgr<nowiki>::</nowiki>DeleteGroup "GROUPID"
: deletes a user group, returns status string
: deletes a user group, returns status string


; UserMgr<nowiki>::</nowiki>GetUserInfo ''USERID FIELD''
; UserMgr<nowiki>::</nowiki>GetUserInfo "USERID" "FIELD"
: returns a specific information for the given user-ID
: returns a specific information for the given user-ID


: where ''FIELD'' can be one of the following:
: where "FIELD" can be one of the following:
:; EXISTS
:; EXISTS
:: returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")
:: returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")
Line 98: Line 118:
:: returns a comment stored for the user
:: returns a comment stored for the user


; UserMgr<nowiki>::</nowiki>SetUserInfo ''USERID FIELD VALUE''
:; PASSWD_STATUS
:: returns the Password status for the user (either NEVEREXPIRES or CANTCHANGE)
 
; UserMgr<nowiki>::</nowiki>SetUserInfo "USERID" "FIELD" "VALUE"
: sets a specific information for the given user-ID
: sets a specific information for the given user-ID


: where ''FIELD'' can be one of the following:
: where "FIELD" can be one of the following:
:; NAME
:; NAME
:: sets the user name
:: sets the user name
Line 120: Line 143:
:: sets the user password (Admin rights required)
:: sets the user password (Admin rights required)
   
   
; UserMgr<nowiki>::</nowiki>ChangeUserPassword ''USERID OLDPASSWORD NEWPASSWORD"
; UserMgr<nowiki>::</nowiki>ChangeUserPassword "USERID" "OLDPASSWORD" "NEWPASSWORD"
: changes the user password (Admin rights not required)
: changes the user password (Admin rights not required)


; UserMgr<nowiki>::</nowiki>SetRegKeyAccess "USERID ROOTKEY REGKEY ACCESSMASK"
; UserMgr<nowiki>::</nowiki>GetLocalizedStdAccountName "STDACCOUNTSID"
: returns the localized Standard Account name
: (e.g. "NT AUTHORITY\SYSTEM" for "S-1-5-18" on a English system
: and "NT-AUTORITÄT\NETZWERKDIENST" for "S-1-5-20" on a German system)
: The most often used SID's are defined in the included SpecialGroupsSIDs.nsh
 
; UserMgr<nowiki>::</nowiki>GetUserNameFromSID "SID"
: returns the username for the specified SID
: (returns both domain and username: "{domain}\{username}")
 
; UserMgr<nowiki>::</nowiki>GetSIDFromUserName "DOMAIN" "USERID"
: returns the SID for the specified USERID and DOMAIN
: (use an empty string for the domain for a local user)
 
; UserMgr<nowiki>::</nowiki>SetRegKeyAccess "USERID" "ROOTKEY" "REGKEY" "ACCESSMASK"
: adds/sets/revokes/denies access rights for registry keys
: adds/sets/revokes/denies access rights for registry keys


: where ''ROOTKEY'' can be one of these: HKLM, HKU, HKCU, HKCR
: where "ROOTKEY" can be one of these: HKLM, HKU, HKCU, HKCR
: where ''ACCESSMASK'' starts with a '+' to grant rights, "-" to deny rights, "=" to set rights, afterwards the rights can be listed: 'r' for read access, 'w' for write access, 'x' for execute access, 'a' for full access.
: where "ACCESSMASK" starts with a '+' to grant rights, "-" to deny rights, "=" to set rights, afterwards the rights can be listed: 'r' for read access, 'w' for write access, 'x' for execute access, 'a' for full access.


:; BEWARE: If ACCESSMASK is empty, all of the the users access rights will be removed! This is used to delete an access list entry from a registry key.
:; BEWARE: If ACCESSMASK is empty, all of the the users access rights will be removed! This is used to delete an access list entry from a registry key.
Line 136: Line 173:
  </highlight-nsis>
  </highlight-nsis>
: grants full access for "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Blabla" to user "myuser"
: grants full access for "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Blabla" to user "myuser"
 
; UserMgr<nowiki>::</nowiki>ValidatePassword "PASSWORD" "DOMAIN"
: checks if a password complies with GPO requirements
: check against current machine DOMAIN = local
: NERR_PasswordTooShort (2245) will sometimes be thrown if the password matches or contains the username. This can not be checked beforehand with this function as there is no username given.
 
 
 
GROUPID may be a (localized) group name or a group SID in []
: default [https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers Security identifiers]
 
==== Return value ====
==== Return value ====


'''A status string can look like this:'''
"'A status string can look like this:"'


; "OK"
; "OK"
Line 145: Line 192:


; "ERROR xxxx"
; "ERROR xxxx"
: An error occurred. Please see [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/network_management_error_codes.asp MSDN] or the LMERR.H file (comes with Visual Studio) to find out about possible error codes.  You may also find the [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/network_management.asp Network Management] page on MSDN to be useful.
: An error occurred. Please see [https://msdn.microsoft.com/en-us/library/windows/desktop/aa370674(v=vs.85).aspx MSDN] or the LMERR.H file (comes with Visual Studio) to find out about possible error codes.  You may also find the [https://msdn.microsoft.com/en-us/library/windows/desktop/aa370672(v=vs.85).aspx Network Management] page on MSDN to be useful.


== Example ==
== Example ==
Line 169: Line 216:


UserMgr::AddToGroup  "myuser" "Administrators"
UserMgr::AddToGroup  "myuser" "Administrators"
Pop $0
        MessageBox MB_OK "AddToGroup Result : $0"
        UserMgr::AddToGroup "myuser" "[S-1-5-32-544]"
Pop $0
Pop $0
         MessageBox MB_OK "AddToGroup Result : $0"
         MessageBox MB_OK "AddToGroup Result : $0"
Line 211: Line 262:
Pop $0
Pop $0
         MessageBox MB_OK "ChangeUserPassword Result : $0"
         MessageBox MB_OK "ChangeUserPassword Result : $0"
UserMgr::ValidatePassword "mypassword" "local"
Pop $0
        MessageBox MB_OK "ValidatePassword Result : $0"


UserMgr::SetUserInfo "myuserA" "PASSWORD" "mypasswordc"
UserMgr::SetUserInfo "myuserA" "PASSWORD" "mypasswordc"
Line 219: Line 274:
Pop $0
Pop $0
         MessageBox MB_OK "DeleteUser Result: $0"
         MessageBox MB_OK "DeleteUser Result: $0"
 
        #######################################################################
UserMgr::GetCurrentUserName
Pop $0
        MessageBox MB_OK "GetCurrentUserName Result: $0"
UserMgr::GetSIDFromUserName "" "$0"
Pop $0
        MessageBox MB_OK "GetSIDFromUserName Result: $0"
UserMgr::GetUserNameFromSID "$0"
Pop $0
        MessageBox MB_OK "GetUserNameFromSID Result: $0"


FunctionEnd
FunctionEnd
Line 230: Line 298:
This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.  
This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.  


'''Side note:'''
"'Side note:"'
On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)
On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)


Line 264: Line 332:
== Changes ==
== Changes ==


JPR 01 Jan 2007:
KFF 29 Mai 2021:
* Resolves groupid to groupname. If enclosed in square brackets a string SID is assuemd and a Lookup is performed
* NetLocalGroupDelMembers used instead of NetGroupDelUser in the RemoveFromGroup function to make it work
* The function ValidatePassword is added to be able to check a password beforehand agains GPO requirements
 
JPR 01 Jan 2008:


* NetLocalGroupAddMembers used instead of NetGroupAddUser in the AddToGroup function to make it work. (Thanks to the article of CancerFace (http://nsis.sourceforge.net/User_Management_using_API_calls))
* NetLocalGroupAddMembers used instead of NetGroupAddUser in the AddToGroup function to make it work. (Thanks to the article of CancerFace ([[User Management using API calls]]))
* PASSWORD added as possible FIELD for the SetUserInfo function. With this field the user password can be changed
* PASSWORD added as possible FIELD for the SetUserInfo function. With this field the user password can be changed
* The function ChangeUserPassword is added to be able to change a user password
* The function ChangeUserPassword is added to be able to change a user password
Line 273: Line 346:
* The function RegLoadUserHive is added. This function loads the User Registry hive in HKEY_USERS\{USERID} to be able to add keys and values to the HKEY_CURRENT_USER of this user
* The function RegLoadUserHive is added. This function loads the User Registry hive in HKEY_USERS\{USERID} to be able to add keys and values to the HKEY_CURRENT_USER of this user
* The function RegUnLoadUserHive is added. This function unloads the User Registry hive
* The function RegUnLoadUserHive is added. This function unloads the User Registry hive
JPR 14 Jan 2008:
* Fixed a small bug in GetUserInfo function
* Fixed 2 small bugs in SetUserInfo function
* Added GetCurrentUserName function
* Added GetLocalizedStdAccountName function
* Added IsMemberOfGroup function
JPR 15 Jan 2008:
* Fixed a small bug in RegLoadUserHive function
JPR 01 Feb 2008:
* Fixed a bug in SetUserInfo function when using for "FULLNAME"
* Added HasPrivilege function
JPR 22 Jan 2009:
* Added GetCurrentDomain function
JPR 23 Jan 2009:
* Fixed a bug crashing the installer
JPR 25 Jan 2009:
* Return errorcode (WinError if available, else NTStatus) for LsaEnumerateAccountRights in function HasPrivilege
* Return FALSE if user has no privileges in function HasPrivilege
JPR 2 Sep 2009:
* Added GetUserNameFromSID function
* Added GetSIDFromUserName function
* Fixed a problem in the RegLoadUserHive function when a user was deleted and then recreated


[[Category:Plugins]]
[[Category:Plugins]]

Latest revision as of 15:18, 23 July 2021

Author: hgerstung (talk, contrib)


Links

UserMgr.zip (49 KB) UserMgr (2021).zip (148 KB)

Find the original plugin of the author (15.8.2006) at http://www.meinberg.de/download/utils/UserMgr.zip

UserMgr thread on NSIS Discussion forum OLD

UserMgr thread on NSIS Discussion forum

Description

I needed to create a user account in my installer, running a service with restricted rights is something we all should try to do whenever possible.

In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.

"'Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems."'
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.

As I am currently the only one using this, I consider it in beta state and appreciate any comments and feedback, e.g. "Yes, it runs on Winxyz" or "No, no chance on Win87 etc. etc.).

You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.

Please note: NSIS v2.42 or higher is required for this plugin to run properly.

Known Issues

Windows 9x support
Untested on Windows 9x; structure is different, so probably not going to work.
Windows NT4 support
Plug-in does not work because ConvertSidToStringSid and ConvertStringSidToSid are unavailable!

Any help in resolving these issues (submitting a patch, etc) is appreciated.


Plugin Command Reference

Here's a list of functions the DLL exports including the necessary parameters.

UserMgr::CreateAccount "USERID" "PASSWORD" "COMMENT"
creates a new user account, returns status string
UserMgr::CreateAccountEx "USERID" "PASSWORD" "COMMENT" "FULLNAME" "USERCOMMENT" "FLAGS"
creates a new user account, including the Fullname (Shown in the Welcome screen), returns status string
where "FLAGS" can be one or more of the following, seperated by '|':
UF_ACCOUNTDISABLE
The user's account is disabled.
UF_PASSWD_NOTREQD
No password is required.
UF_PASSWD_CANT_CHANGE
The user cannot change the password.
UF_DONT_EXPIRE_PASSWD
The password will never expire on the account.
UserMgr::GetCurrentUserName
returns the username of the currently logged in user
UserMgr::GetCurrentDomain
returns the domainname of the currently logged in user
UserMgr::BuiltAccountEnv "USERID" "PASSWORD"
builds the User environment of the user (Registry hive, Documents and settings etc.), returns status string
UserMgr::RegLoadUserHive "USERID"
loads the User Registry hive in HKEY_USERS\{USERID}, returns status string
UserMgr::RegUnLoadUserHive "USERID"
unloads the User Registry hive, returns status string
UserMgr::DeleteAccount "USERID"
deletes a user account, returns status string
UserMgr::AddToGroup "USERID" "GROUPID"
adds a user to a group, returns status string
UserMgr::RemoveFromGroup "USERID" "GROUPID"
removes group membership from a user, returns status string
UserMgr::IsMemberOfGroup "USERID" "GROUPID"
returns "TRUE" if the user is a member of the specified group, else returns "FALSE"
UserMgr::AddPrivilege "USERID" "PRIVILEGE"
adds a privilege to the user account, returns status string. You can find a list of privileges below.
UserMgr::RemovePrivilege "USERID" "PRIVILEGE"
removes a privilege from an account, returns status string. You can find a list of privileges below.
UserMgr::HasPrivilege "USERID" "PRIVILEGE"
returns "TRUE" if the user has the specified privilege, else returns "FALSE".
UserMgr::CreateGroup "GROUPID" "COMMENT"
creates a new user group, returns status string
UserMgr::DeleteGroup "GROUPID"
deletes a user group, returns status string
UserMgr::GetUserInfo "USERID" "FIELD"
returns a specific information for the given user-ID
where "FIELD" can be one of the following:
EXISTS
returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")
NAME
returns the user name
FULLNAME
returns the full user name (e.g. firstname surname)
HOMEDIR
returns the path to the users home directory
COMMENT
returns a comment stored for the user
PASSWD_STATUS
returns the Password status for the user (either NEVEREXPIRES or CANTCHANGE)
UserMgr::SetUserInfo "USERID" "FIELD" "VALUE"
sets a specific information for the given user-ID
where "FIELD" can be one of the following:
NAME
sets the user name
FULLNAME
sets the full user name (e.g. firstname surname)
HOMEDIR
sets the path to the users home directory
COMMENT
sets a comment stored for the user
PASSWD_NEVER_EXPIRES ["YES"/"NO"]
enables/disables password expiration
PASSWORD
sets the user password (Admin rights required)
UserMgr::ChangeUserPassword "USERID" "OLDPASSWORD" "NEWPASSWORD"
changes the user password (Admin rights not required)
UserMgr::GetLocalizedStdAccountName "STDACCOUNTSID"
returns the localized Standard Account name
(e.g. "NT AUTHORITY\SYSTEM" for "S-1-5-18" on a English system
and "NT-AUTORITÄT\NETZWERKDIENST" for "S-1-5-20" on a German system)
The most often used SID's are defined in the included SpecialGroupsSIDs.nsh
UserMgr::GetUserNameFromSID "SID"
returns the username for the specified SID
(returns both domain and username: "{domain}\{username}")
UserMgr::GetSIDFromUserName "DOMAIN" "USERID"
returns the SID for the specified USERID and DOMAIN
(use an empty string for the domain for a local user)
UserMgr::SetRegKeyAccess "USERID" "ROOTKEY" "REGKEY" "ACCESSMASK"
adds/sets/revokes/denies access rights for registry keys
where "ROOTKEY" can be one of these: HKLM, HKU, HKCU, HKCR
where "ACCESSMASK" starts with a '+' to grant rights, "-" to deny rights, "=" to set rights, afterwards the rights can be listed: 'r' for read access, 'w' for write access, 'x' for execute access, 'a' for full access.
BEWARE
If ACCESSMASK is empty, all of the the users access rights will be removed! This is used to delete an access list entry from a registry key.
example:
 UserMgr::SetRegKeyAccess "myuser" "HKLM" "SYSTEM\CurrentControlSet\Services\Blabla" "=a"
grants full access for "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Blabla" to user "myuser"
UserMgr::ValidatePassword "PASSWORD" "DOMAIN"
checks if a password complies with GPO requirements
check against current machine DOMAIN = local
NERR_PasswordTooShort (2245) will sometimes be thrown if the password matches or contains the username. This can not be checked beforehand with this function as there is no username given.


GROUPID may be a (localized) group name or a group SID in []

default Security identifiers

Return value

"'A status string can look like this:"'

"OK"
Function has been completed successfully
"ERROR xxxx"
An error occurred. Please see MSDN or the LMERR.H file (comes with Visual Studio) to find out about possible error codes. You may also find the Network Management page on MSDN to be useful.

Example

Here is a short example of how to use the functions in an Installer script: 

Name "UserMgr.dll Sample Installation Script"
 
OutFile "usermgr-sample.exe"
 
#
# Be careful when using these functions, especially the "Remove" and "Delete"
# commands!!!
#
 
Function .onInit
        # the plugins dir is automatically deleted when the installer exits
        InitPluginsDir
 
	UserMgr::CreateAccount "myuser" "mypassword" "A test user created by the UserMgr plugin"
	Pop $0
        MessageBox MB_OK "CreateUser Result : $0"
 
	UserMgr::AddToGroup  "myuser" "Administrators"
	Pop $0
        MessageBox MB_OK "AddToGroup Result : $0"
 
        UserMgr::AddToGroup "myuser" "[S-1-5-32-544]"
	Pop $0
        MessageBox MB_OK "AddToGroup Result : $0"
 
	UserMgr::SetRegKeyAccess "myuser" "HKLM" "SYSTEM\CurrentControlSet\Services\EventLog\Application\NTP" "=a"
	Pop $0
        MessageBox MB_OK "GrantAccess Result : $0"
 
	UserMgr::SetRegKeyAccess "myuser" "HKLM" "SYSTEM\CurrentControlSet\Services\EventLog\Application\NTP" "=r"
	Pop $0
        MessageBox MB_OK "RevokeWriteAccess Result : $0"
 
	UserMgr::SetRegKeyAccess "myuser" "HKLM" "SYSTEM\CurrentControlSet\Services\EventLog\Application\NTP" ""
	Pop $0
        MessageBox MB_OK "RevokeAccess Result : $0"
 
	UserMgr::DeleteAccount "myuser"
	Pop $0
        MessageBox MB_OK "DeleteUser Result: $0"
 
        #######################################################################
 
	UserMgr::CreateAccountEx "myuserA" "mypassword" "A test user created by the UserMgr plugin" "My User A" "A test user created by the UserMgr plugin" "UF_PASSWD_NOTREQD|UF_DONT_EXPIRE_PASSWD"
	Pop $0
        MessageBox MB_OK "CreateUser Result : $0"
 
	UserMgr::BuiltAccountEnv "myuserA" "mypassword"
	Pop $0
        MessageBox MB_OK "BuiltAccountEnv Result : $0"
 
	UserMgr::RegLoadUserHive "myuserA"
	Pop $0
        MessageBox MB_OK "RegLoadUserHive Result : $0"
 
        WriteRegStr HKEY_USERS "myuserA\Software\My Company\My Software" "String Value" "dead beef"
 
	UserMgr::RegUnLoadUserHive "myuserA"
	Pop $0
        MessageBox MB_OK "RegUnLoadUserHive Result : $0"
 
	UserMgr::ChangeUserPassword "myuserA" "mypassword" "mypasswordb"
	Pop $0
        MessageBox MB_OK "ChangeUserPassword Result : $0"
 
	UserMgr::ValidatePassword "mypassword" "local"
	Pop $0
        MessageBox MB_OK "ValidatePassword Result : $0"
 
	UserMgr::SetUserInfo "myuserA" "PASSWORD" "mypasswordc"
	Pop $0
        MessageBox MB_OK "SetUserInfo PASSWORD Result : $0"
 
	UserMgr::DeleteAccount "myuserA"
	Pop $0
        MessageBox MB_OK "DeleteUser Result: $0"
 
        #######################################################################
 
	UserMgr::GetCurrentUserName
	Pop $0
        MessageBox MB_OK "GetCurrentUserName Result: $0"
 
	UserMgr::GetSIDFromUserName "" "$0"
	Pop $0
        MessageBox MB_OK "GetSIDFromUserName Result: $0"
 
	UserMgr::GetUserNameFromSID "$0"
	Pop $0
        MessageBox MB_OK "GetUserNameFromSID Result: $0"
 
FunctionEnd
 
Section
SectionEnd

Incomplete List of Account Privileges

This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.

"'Side note:"' On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)

SeAssignPrimaryTokenPrivilege
Replace a process level token
SeAuditPrivilege
Generate security audits
SeBackupPrivilege
Back up files and directories
SeBatchLogonRight
Log on as a batch job
SeChangeNotifyPrivilege
Bypass traverse checking
SeCreatePagefilePrivilege
Create a pagefile
SeCreatePermanentPrivilege
Create permanent shared objects
SeCreateTokenPrivilege
Create a token object
SeDebugPrivilege
Debug programs
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
SeIncreaseQuotaPrivilege
Increase quotas
SeInteractiveLogonRight
Log on locally
SeLoadDriverPrivilege
Load and unload device drivers
SeLockMemoryPrivilege
Lock pages in memory
SeMachineAccountPrivilege
Add workstations to domain
SeNetworkLogonRight
Access this computer from the network
SeProfileSingleProcessPrivilege
Profile single process
SeRemoteShutdownPrivilege
Force shutdown from a remote system
SeRestorePrivilege
Restore files and directories
SeSecurityPrivilege
Manage auditing and security log
SeServiceLogonRight
Log on as a service
SeShutdownPrivilege
Shut down the system
SeSystemEnvironmentPrivilege
Modify firmware environment values
SeSystemProfilePrivilege
Profile system performance
SeSystemtimePrivilege
Change the system time
SeTakeOwnershipPrivilege
Take ownership of files or other objects
SeTcbPrivilege
Act as part of the operating system
SeUnsolicitedInputPrivilege
Read unsolicited input from a terminal device

Changes

KFF 29 Mai 2021:

  • Resolves groupid to groupname. If enclosed in square brackets a string SID is assuemd and a Lookup is performed
  • NetLocalGroupDelMembers used instead of NetGroupDelUser in the RemoveFromGroup function to make it work
  • The function ValidatePassword is added to be able to check a password beforehand agains GPO requirements

JPR 01 Jan 2008:

  • NetLocalGroupAddMembers used instead of NetGroupAddUser in the AddToGroup function to make it work. (Thanks to the article of CancerFace (User Management using API calls))
  • PASSWORD added as possible FIELD for the SetUserInfo function. With this field the user password can be changed
  • The function ChangeUserPassword is added to be able to change a user password
  • The function CreateAccountEx is added to be able to add a fullname of a user (Shown in the Welcome Screen) and add flags to the user (Password never expires etc.)
  • The function BuiltAccountEnv is added. This function creates the User Environment (Documents and settings\{User} folder, User Registry Hive etc. to be able to do something there without the need to login as the new created user first
  • The function RegLoadUserHive is added. This function loads the User Registry hive in HKEY_USERS\{USERID} to be able to add keys and values to the HKEY_CURRENT_USER of this user
  • The function RegUnLoadUserHive is added. This function unloads the User Registry hive

JPR 14 Jan 2008:

  • Fixed a small bug in GetUserInfo function
  • Fixed 2 small bugs in SetUserInfo function
  • Added GetCurrentUserName function
  • Added GetLocalizedStdAccountName function
  • Added IsMemberOfGroup function

JPR 15 Jan 2008:

  • Fixed a small bug in RegLoadUserHive function

JPR 01 Feb 2008:

  • Fixed a bug in SetUserInfo function when using for "FULLNAME"
  • Added HasPrivilege function

JPR 22 Jan 2009:

  • Added GetCurrentDomain function

JPR 23 Jan 2009:

  • Fixed a bug crashing the installer

JPR 25 Jan 2009:

  • Return errorcode (WinError if available, else NTStatus) for LsaEnumerateAccountRights in function HasPrivilege
  • Return FALSE if user has no privileges in function HasPrivilege

JPR 2 Sep 2009:

  • Added GetUserNameFromSID function
  • Added GetSIDFromUserName function
  • Fixed a problem in the RegLoadUserHive function when a user was deleted and then recreated
Retrieved from "https://nsis.sourceforge.io/mediawiki/index.php?title=UserMgr_plug-in&oldid=25692"