Can anyone tell me how I can manage(or if not possible, monitor) programatically the people who are allowed to interactively logon(that is through actual physical access) on a windows machine attached to an active directory architecture? Something in BCL/FCL is preferred but COM interop/WMI is also fine.
A:
Not sure how to do it programmatically. You can do it with the NTRights.exe tool as:
NTRights -u [username] +r SeDenyInteractiveLogonRight
To deny a user the right to log on interactively. So if you can't find a better solution you could possibly call that tool from your application.
ho1
2010-06-25 07:41:22
Unfortunately, ntrights seems to be limited to windows server. Is there an equivalent on windows XP and above?
apoorv020
2010-06-25 07:46:47
@apoorv020: It's in the server Resource kit, but I think you can run it on XP as well, not completely sure though.
ho1
2010-06-25 07:49:53
+1
A:
I found a COM API call that can be used to monitor and/or manage users with interactive logon rights.
LsaEnumerateAccountsWithUserRight can monitor people with interactive logon rights while LsaAddAccountRights, LsaEnumerateAccountRights and LsaRemoveAccountRights can add and remove such privileges.
apoorv020
2010-06-25 14:55:11
I'd suggest marking this as the answer so as to give an easy indication of what solved your problem (it's perfectly ok to mark your own answer as the correct answer).
ho1
2010-06-25 21:03:29