UserMgr plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
(Added "changing passwords" under Known Issues)
Line 5: Line 5:


== Description ==
== Description ==
I needed to create a user account in my installer, running a service with restricted rights is be something we all should try to do whenever possible.
I needed to create a user account in my installer, running a service with restricted rights is something we all should try to do whenever possible.


In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.  
In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.  

Revision as of 21:19, 18 April 2006

Author: hgerstung (talk, contrib)


Links

UserMgr.zip (49 KB)

Description

I needed to create a user account in my installer, running a service with restricted rights is something we all should try to do whenever possible.

In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.

Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems.
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.

As I am currently the only one using this, I consider it in beta state and appreciate any comments and feedback, e.g. "Yes, it runs on Winxyz" or "No, no chance on Win87 etc. etc.).

You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.

Known Issues

UserMgr::AddToGroup
Not currently functional.
Windows 9x support
Untested on Windows 9x; structure is different, so probably not going to work.
Changing Passwords
Plugin does not currently support changing a user's password


Any help in resolving these issues (submitting a patch, etc) is appreciated.


Plugin Command Reference

Here's a list of functions the DLL exports including the necessary parameters.

UserMgr::CreateAccount USERID PASSWORD COMMENT
creates a new user account, returns status string
UserMgr::DeleteAccount USERID
deletes a user account, returns status string
UserMgr::AddToGroup USERID GROUPID
adds a user to a group, returns status string
UserMgr::RemoveFromGroup USERID GROUPID
removes group membership from a user, returns status string
UserMgr::AddPrivilege USERID PRIVILEGE
adds a privilege to the user account, returns status string. You can find a list of privileges below.
UserMgr::RemovePrivilege USERID PRIVILEGE
removes a privilege from an account, returns status string. You can find a list of privileges below.
UserMgr::CreateGroup GROUPID COMMENT
creates a new user group, returns status string
UserMgr::DeleteGroup GROUPID
deletes a user group, returns status string
UserMgr::GetUserInfo USERID FIELD'
returns a specific information for the given user-ID

where FIELD can be one of the following:

EXISTS
returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")
NAME
returns the user name
FULLNAME
returns the full user name (e.g. firstname surname)
HOMEDIR
returns the path to the users home directory
COMMENT
returns a comment stored for the user

A status string can look like this:

"OK"
Function has been completed successfully
"ERROR xxxx"
An error occurred. Please see MSDN or the LMERR.H file (comes with Visual Studio) to find out about possible error codes. You may also find the Network Management page on MSDN to be useful.

Here is a short example of how to use the functions in an Installer script:

Name "UserMgr.dll Sample Installation Script"
 
OutFile "usermgr-sample.exe"
 
#
# Be careful when using these functions, especially the "Remove" and "Delete"
# commands!!!
#
 
 
Function .onInit
 # the plugins dir is automatically deleted when the installer exits
 InitPluginsDir
 
 
 UserMgr::CreateAccount "myuser" "mypassword" "A test user"
 Pop $0
 MessageBox MB_OK "CreateUser Result : $0"
 
 UserMgr::AddToGroup  "myuser" "guests"
 Pop $0
 MessageBox MB_OK " Add to Group Result : $0"
 
 UserMgr::AddPrivilege  "myuser" "SeInteractiveLogonRight"
 Pop $0          
 MessageBox MB_OK "Add Privilege Result : $0"
 
 UserMgr::DeleteAccount "myuser"
 Pop $0          
 MessageBox MB_OK "Delete Account Result : $0"
 
FunctionEnd
 
Section
SectionEnd

Incomplete List of Account Privileges

This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.

Side note: On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)

SeAssignPrimaryTokenPrivilege
Replace a process level token
SeAuditPrivilege
Generate security audits
SeBackupPrivilege
Back up files and directories
SeBatchLogonRight
Log on as a batch job
SeChangeNotifyPrivilege
Bypass traverse checking
SeCreatePagefilePrivilege
Create a pagefile
SeCreatePermanentPrivilege
Create permanent shared objects
SeCreateTokenPrivilege
Create a token object
SeDebugPrivilege
Debug programs
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
SeIncreaseQuotaPrivilege
Increase quotas
SeInteractiveLogonRight
Log on locally
SeLoadDriverPrivilege
Load and unload device drivers
SeLockMemoryPrivilege
Lock pages in memory
SeMachineAccountPrivilege
Add workstations to domain
SeNetworkLogonRight
Access this computer from the network
SeProfileSingleProcessPrivilege
Profile single process
SeRemoteShutdownPrivilege
Force shutdown from a remote system
SeRestorePrivilege
Restore files and directories
SeSecurityPrivilege
Manage auditing and security log
SeServiceLogonRight
Log on as a service
SeShutdownPrivilege
Shut down the system
SeSystemEnvironmentPrivilege
Modify firmware environment values
SeSystemProfilePrivilege
Profile system performance
SeSystemtimePrivilege
Change the system time
SeTakeOwnershipPrivilege
Take ownership of files or other objects
SeTcbPrivilege
Act as part of the operating system
SeUnsolicitedInputPrivilege
Read unsolicited input from a terminal device