Local user group modifications via C#

Question

Alright, so question.

I'm working on an application that was previously hosted on a Windows 2000 machine, and now I have to move it to Windows XP. The application needs the ability to switch its user account from Administrators, to a restricted account, and vice-versa (with reboots in between).

Using a netapi32.dll wrapper this works fine in Windows 2000. When I try it Windows XP, I get Access Denied errors when I try to remove the account from the restricted account and add it to the Administrator account. It works the other way around.

Does anyone know where the permissions need to be modified in order to be able to allow the restricted account to add/remove groups from user accounts? It seems to be handled differently between Windows 2000 and Windows XP.

Thanks.

Answer 1

I can't speak to the differences there, but I think you need to look at other solutions, like impersonation. This will allow you to execute code and Windows actions under the contexts of various users without performing modifications to the account itself.

If you must perform modifications to an account for other purposes, then your service needs to run under the context of an administrative account and perform the modifications on a different account.