How to get a user token from Logonuser for a user account with no password?

views:

856

answers:

+1 Q:

How to get a user token from Logonuser for a user account with no password?

How can you get a user token from Logonuser for a user account with no password?

In particular Logonuser will fail for accounts that do not have passwords.
You can validate an account by checking for a blank password + checking for GetLastError() == ERROR_ACCOUNT_RESTRICTION.

But I need to actually get a token returned, so I need this function to succeed.

+1 A:

This will fail if the registry setting LimitBlankPasswordUse is enabled, which it is by default. In order to disable this change the LimitBlankPasswordUse value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to zero. Or change the group policy setting under Security Options.

Be aware that this creates a security hole since it allows remote logons for accounts with null passwords.

Stephen Martin 2009-01-11 17:03:28

But the computer is allowed to create accounts with blank passwords...

Brian R. Bondy 2009-01-11 17:43:20

When LimitBlankPasswordUse is set you are still allowed to create accounts with blank passwords but they are limited to local console logon.

Stephen Martin 2009-01-11 17:50:55

Can I get such a user token? Local console is fine.

Brian R. Bondy 2009-01-11 18:09:06

By local console I mean physically logging in at the computer. You could retrieve the token once someone had physically logged in but there is no way to do the logon programmatically.

Stephen Martin 2009-01-11 18:18:13

Does this mean windows scheduler is broken if there is an account with no password?

Brian R. Bondy 2009-01-11 21:46:21

I just verified and windows gives the error about account restriction blank password. So it's true you can't use windows task scheduler with a blank password.

Brian R. Bondy 2009-01-11 21:50:44

ansaurus

tags:

views:

answers:

How to get a user token from Logonuser for a user account with no password?

related questions