views:

871

answers:

3

Hi,

I want to impersonate other user in windows, for example: I create a directory with permission only for user A and for the administrators, when logon with user B and run .exe I want to impersonate user A to have permission to edit/remove/insert in that specific directory. How can I do it?

I found this: http://msdn.microsoft.com/en-us/library/aa374731(VS.85).aspx

Thanks for the help!

Filipe Araújo

+3  A: 

As a start, check out this article on windows user impersonation:

http://www.codeproject.com/KB/system/UserImpersonation.aspx

It should give you a place to start. If you need more controll you will need to look into Access Tokens.

QAZ
I've done this and it works.
kenny
A: 

I've already went to that site and didn't help because what I want it's to have the permissions of user A in user B and if you see the article it's more appropriated to create an .exe that calls the logon/login window and "physically" you are the user B and that's not what I want. What I want is to run the .exe(create in vs2008 MFC C++) in user B and gain the permissions of user A and within the .exe I can access the directories of the user A.

Thanks.

Filipe Araújo

A: 

If you want access to the folders of User A and the folders of User B, then you just need to setup folder permissions in such a way that administrators have permissions to get into all the folders. Normally machine administrators already have those rights. I am assuming here that are talking about normal windows user accounts, and normal machine/domain administrator accounts.

If you want to become User A its means you need User A's active permission to become that person. Impersonation is not simple (from what I have tried), you need to request access through your domain controller and negotiate that you are User B and that you have the rights to impersonate User A, generally that is done by User A and User B sharing and negotiating Credential Handles and Security Contexts. I doubt this is the type of process you're looking to follow.

Some useful functions would include:

To setup the context these are used and data is passed backwards and forwards between User A and User B to negotiate the impersonation

AcquireCredentialsHandle()
InitializeSecurityContext()
AcceptSecurityContext()
CompleteAuthToken()

Once the negotiations are complete and a security context has been created, these are used to start and stop the impersonation.

ImpersonateSecurityContext()
RevertContext()

I don't know of any other way to impersonate a user without the active participation of the user in question, or actively logging on as that user.

Hope this helps in some way.

brianb