how to check Local Security Policy rights as non-admin

710 views Asked by At

Situation is a client system running c# code, that upon starting we wish to check and confirm that the windows identity running the system has certain specific privileges, current specific case is SeSystemtimePrivilege. We do not want the user to be required to be an admin for the system to start.

Paths attempted so far include:

  • WMI which did not get the set of rights we were after.

  • LsaEnumerateAccountsWithUserRight through PInvoke - which totally works, but requires admin rights to use LsaOpenPolicy.

  • GetTokenInformation through PInvoke, in conjunction with LookupPrivilegeName This did not return the desired results. Instead it returned just 5 privileges for the token, but did not include SeSystemtimePrivilege although it had been explicitly granted to the user in question. ( I am thinking it is showing me only rights from GP ? They are the same rights I see with a cmd WhoAmI /priv check.)
  • LookupPrivilegeValue through PInvoke, in conjunction with PrivilegeCheck, and this also only seems to have access to the same 5 rights as GetTokenInformation, and only returns true when said right is actually enabled.

I cannot figure out so far how to enable this right on my local machine to test that situation, but I don't think I can rely on it being other than default on client machines.

I am looking for more ideas of how to get at these user rights without having to have admin rights.

Ideas? Have I exhausted the options? That can't be so, can it?

1

There are 1 answers

0
tendrel On BEST ANSWER

The answer to my situation turned out to be the

  • GetTokenInformation through PInvoke, in conjunction with LookupPrivilegeName option.

So, the reason I was not getting full rights, was what I thought it was, the split token. As an admin, you get two tokens when running an app as non-elevated. This was hindering a complete workflow, until a manifest was involved. The key here to get the full admin rights we were after was to include a manifest with this line:

  • < requestedExecutionLevel level="highestAvailable" uiAccess="false" />

Then it becomes easier. The admin can run the app non-elevated, and the GetTokenInformation will return the full set of admin privileges, which will include our target SeSystemtimePrivilege (we are not on a system where anyone is restricting admin rights, ever). For a standard user, we explicitly grant them the SeSystemtimePrivilege in the Local Security Policy and then the right is returned in their token privileges as well.

Both situations remedied. It required setting up VMs to test the standard user and such, which was slow going due to other stuff. But anyhow, it does work, and satisfies our needs.

I hope this helps someone else!

Jen