UserMgr plug-in: Difference between revisions

Links

UserMgr.zip (49 KB)

Description

I needed to create a user account in my installer, running a service with restricted rights is something we all should try to do whenever possible.

In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.

Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems.
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.

As I am currently the only one using this, I consider it in beta state and appreciate any comments and feedback, e.g. "Yes, it runs on Winxyz" or "No, no chance on Win87 etc. etc.).

You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.

Known Issues

UserMgr::AddToGroup

Not currently functional.

Windows 9x support

Untested on Windows 9x; structure is different, so probably not going to work.

Changing Passwords

Plugin does not currently support changing a user's password

Any help in resolving these issues (submitting a patch, etc) is appreciated.

Plugin Command Reference

Here's a list of functions the DLL exports including the necessary parameters.

UserMgr::CreateAccount USERID PASSWORD COMMENT

creates a new user account, returns status string

UserMgr::DeleteAccount USERID

deletes a user account, returns status string

UserMgr::AddToGroup USERID GROUPID

adds a user to a group, returns status string

UserMgr::RemoveFromGroup USERID GROUPID

removes group membership from a user, returns status string

UserMgr::AddPrivilege USERID PRIVILEGE

adds a privilege to the user account, returns status string. You can find a list of privileges below.

UserMgr::RemovePrivilege USERID PRIVILEGE

removes a privilege from an account, returns status string. You can find a list of privileges below.

UserMgr::CreateGroup GROUPID COMMENT

creates a new user group, returns status string

UserMgr::DeleteGroup GROUPID

deletes a user group, returns status string

UserMgr::GetUserInfo USERID FIELD'

returns a specific information for the given user-ID

where FIELD can be one of the following:

EXISTS

returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")

NAME

returns the user name

FULLNAME

returns the full user name (e.g. firstname surname)

HOMEDIR

returns the path to the users home directory

COMMENT

returns a comment stored for the user

A status string can look like this:

"OK"

Function has been completed successfully

"ERROR xxxx"

An error occurred. Please see MSDN or the LMERR.H file (comes with Visual Studio) to find out about possible error codes. You may also find the Network Management page on MSDN to be useful.

Here is a short example of how to use the functions in an Installer script:

Name "UserMgr.dll Sample Installation Script"
 
OutFile "usermgr-sample.exe"
 
#
# Be careful when using these functions, especially the "Remove" and "Delete"
# commands!!!
#
 
 
Function .onInit
 # the plugins dir is automatically deleted when the installer exits
 InitPluginsDir
 
 
 UserMgr::CreateAccount "myuser" "mypassword" "A test user"
 Pop $0
 MessageBox MB_OK "CreateUser Result : $0"
 
 UserMgr::AddToGroup  "myuser" "guests"
 Pop $0
 MessageBox MB_OK " Add to Group Result : $0"
 
 UserMgr::AddPrivilege  "myuser" "SeInteractiveLogonRight"
 Pop $0          
 MessageBox MB_OK "Add Privilege Result : $0"
 
 UserMgr::DeleteAccount "myuser"
 Pop $0          
 MessageBox MB_OK "Delete Account Result : $0"
 
FunctionEnd
 
Section
SectionEnd

Incomplete List of Account Privileges

This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.

Side note: On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)

SeAssignPrimaryTokenPrivilege

Replace a process level token

SeAuditPrivilege

Generate security audits

SeBackupPrivilege

Back up files and directories

SeBatchLogonRight

Log on as a batch job

SeChangeNotifyPrivilege

Bypass traverse checking

SeCreatePagefilePrivilege

Create a pagefile

SeCreatePermanentPrivilege

Create permanent shared objects

SeCreateTokenPrivilege

Create a token object

SeDebugPrivilege

Debug programs

SeIncreaseBasePriorityPrivilege

Increase scheduling priority

SeIncreaseQuotaPrivilege

Increase quotas

SeInteractiveLogonRight

Log on locally

SeLoadDriverPrivilege

Load and unload device drivers

SeLockMemoryPrivilege

Lock pages in memory

SeMachineAccountPrivilege

Add workstations to domain

SeNetworkLogonRight

Access this computer from the network

SeProfileSingleProcessPrivilege

Profile single process

SeRemoteShutdownPrivilege

Force shutdown from a remote system

SeRestorePrivilege

Restore files and directories

SeSecurityPrivilege

Manage auditing and security log

SeServiceLogonRight

Log on as a service

SeShutdownPrivilege

Shut down the system

SeSystemEnvironmentPrivilege

Modify firmware environment values

SeSystemProfilePrivilege

Profile system performance

SeSystemtimePrivilege

Change the system time

SeTakeOwnershipPrivilege

Take ownership of files or other objects

SeTcbPrivilege

Act as part of the operating system

SeUnsolicitedInputPrivilege

Read unsolicited input from a terminal device