UserMgr plug-in: Difference between revisions
m (Adding new author and category links.) |
m (UserMgr Plugin moved to UserMgr plug-in) |
Revision as of 14:58, 27 December 2005
| Author: hgerstung (talk, contrib) |
Links
UserMgr.zip (49 KB)
Description
I needed to create a user account in my installer, running a service with restricted rights is be something we all should try to do whenever possible.
In order to get this functionality, I used the UserInfo plugin as a starter and created a number of functions dealing with user accounts, privileges and groups.
Please note: This plugin and its functions are only useful for Windows NT/2K/XP target systems.
You should check the type of system in your installer script before trying to call one of the functions of this DLL. I did not test what happens when someone tries to use UserMgr on a Win95/Win98 system.
As I am currently the only one using this, I consider it in beta state and appreciate any comments and feedback, e.g. "Yes, it runs on Winxyz" or "No, no chance on Win87 etc. etc.).
You can reach me via PM, my forum account is hgerstung, so do not hesitate to contact me if you are experiencing difficulties.
Plugin Command Reference
Here's a list of functions the DLL exports including the necessary parameters.
- UserMgr::CreateAccount USERID PASSWORD COMMENT
- creates a new user account, returns status string
- UserMgr::DeleteAccount USERID
- deletes a user account, returns status string
- UserMgr::AddToGroup USERID GROUPID
- adds a user to a group, returns status string
- UserMgr::RemoveFromGroup USERID GROUPID
- removes group membership from a user, returns status string
- UserMgr::AddPrivilege USERID PRIVILEGE
- adds a privilege to the user account, returns status string. You can find a list of privileges below.
- UserMgr::RemovePrivilege USERID PRIVILEGE
- removes a privilege from an account, returns status string. You can find a list of privileges below.
- UserMgr::CreateGroup GROUPID COMMENT
- creates a new user group, returns status string
- UserMgr::DeleteGroup GROUPID
- deletes a user group, returns status string
- UserMgr::GetUserInfo USERID FIELD'
- returns a specific information for the given user-ID
where FIELD can be one of the following:
- EXISTS
- returns "OK", if the user exists on the system, otherwise an error is returned (string "ERROR xxxx")
- NAME
- returns the user name
- FULLNAME
- returns the full user name (e.g. firstname surname)
- HOMEDIR
- returns the path to the users home directory
- COMMENT
- returns a comment stored for the user
A status string can look like this:
- "OK"
- Function has been completed successfully
- "ERROR xxxx"
- An error occurred. Please see MSDN or the LMERR.H file (comes with Visual Studio) to find out about possible error codes
Here is a short example of how to use the functions in an Installer script:
Name "UserMgr.dll Sample Installation Script" OutFile "usermgr-sample.exe" # # Be careful when using these functions, especially the "Remove" and "Delete" # commands!!! # Function .onInit # the plugins dir is automatically deleted when the installer exits InitPluginsDir UserMgr::CreateAccount "myuser" "mypassword" "A test user" Pop $0 MessageBox MB_OK "CreateUser Result : $0" UserMgr::AddToGroup "myuser" "guests" Pop $0 MessageBox MB_OK " Add to Group Result : $0" UserMgr::AddPrivilege "myuser" "SeInteractiveLogonRight" Pop $0 MessageBox MB_OK "Add Privilege Result : $0" UserMgr::DeleteAccount "myuser" Pop $0 MessageBox MB_OK "Delete Account Result : $0" FunctionEnd Section SectionEnd
Incomplete List of Account Privileges
This list was taken from a web site and surely is not complete. You may have to ask Google or whoever to find out about certain privileges.
Side note: On my machine I needed to "grant" a user the SeDenyInteractiveLogonRight to deny the account to log in interactively - although it did not possess the SeInteractiveLogonRight privilege and was not a a member of any group. This is the same with SeDenyBatchLogonRight, SeDenyNetworkLogonRight and SeDenyServiceLogonRight. You can clearly see that the "i" in Micro$oft stands for "inconsistency" :-)
- SeAssignPrimaryTokenPrivilege
- Replace a process level token
- SeAuditPrivilege
- Generate security audits
- SeBackupPrivilege
- Back up files and directories
- SeBatchLogonRight
- Log on as a batch job
- SeChangeNotifyPrivilege
- Bypass traverse checking
- SeCreatePagefilePrivilege
- Create a pagefile
- SeCreatePermanentPrivilege
- Create permanent shared objects
- SeCreateTokenPrivilege
- Create a token object
- SeDebugPrivilege
- Debug programs
- SeIncreaseBasePriorityPrivilege
- Increase scheduling priority
- SeIncreaseQuotaPrivilege
- Increase quotas
- SeInteractiveLogonRight
- Log on locally
- SeLoadDriverPrivilege
- Load and unload device drivers
- SeLockMemoryPrivilege
- Lock pages in memory
- SeMachineAccountPrivilege
- Add workstations to domain
- SeNetworkLogonRight
- Access this computer from the network
- SeProfileSingleProcessPrivilege
- Profile single process
- SeRemoteShutdownPrivilege
- Force shutdown from a remote system
- SeRestorePrivilege
- Restore files and directories
- SeSecurityPrivilege
- Manage auditing and security log
- SeServiceLogonRight
- Log on as a service
- SeShutdownPrivilege
- Shut down the system
- SeSystemEnvironmentPrivilege
- Modify firmware environment values
- SeSystemProfilePrivilege
- Profile system performance
- SeSystemtimePrivilege
- Change the system time
- SeTakeOwnershipPrivilege
- Take ownership of files or other objects
- SeTcbPrivilege
- Act as part of the operating system
- SeUnsolicitedInputPrivilege
- Read unsolicited input from a terminal device
