LogonUser Function

LogonUser

This function tests the current date/time to see if it matches a cron specification.

Handle LogonUser (user, domain, password, LogonType, LogonProvider)

Arguments:

user
String that specifies the name of the user. This is the name of the user account to log on to. If you use the UPN format, user@DNS_domain_name, the domain parameter must be vbNullString.

The user account must have Log On Locally permission on the local computer. This permission is granted to all users on workstations and servers, but only to administrators on domain controllers.

domain
String that specifies the name of the domain or server whose account database contains the user account. If this parameter is vbNullString, the user name must be specified in UPN format. If this parameter is ".", the function validates the account using only the local account database.

password
String that specifies the clear-text password for the user account specified by user. For more information about protecting passwords, see Handling Passwords.

logonType
Specifies the type of logon operation to perform. This parameter can be one of the following values.

Value Meaning

LOGON32_LOGON_BATCH This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. The LogonUser function does not cache credentials for this logon type.

LOGON32_LOGON_INTERACTIVE This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operation, and is therefore inappropriate for some client/server applications, such as a mail server.

LOGON32_LOGON_NETWORK This logon type is intended for high performance servers to authenticate clear text passwords. The LogonUser function does not cache credentials for this logon type.

LOGON32_LOGON_NETWORK_CLEARTEXT This logon type preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.

LOGON32_LOGON_NEW_CREDENTIALS This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.

LOGON32_LOGON_SERVICE Indicates a service-type logon. The account provided must have the service privilege enabled.

LOGON32_LOGON_UNLOCK This logon type is intended for GINA DLLs logging on users who will be interactively using the computer. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

logonProvider
Specifies the logon provider. This parameter can be one of the following values.

Value Meaning

LOGON32_PROVIDER_DEFAULT Use the standard logon provider for the system. The default security provider is NTLM.

The default provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case the default provider is NTLM.

LOGON32_PROVIDER_WINNT50 Windows XP/2000: Use the negotiate logon provider.

LOGON32_PROVIDER_WINNT40 Use the NTLM logon provider.

LOGON32_PROVIDER_WINNT35 Use the Windows NT 3.5 logon provider.

Returns:

If the function succeeds, the return value is a handle represents the specified user.
If the function fails, the return value is zero.

You can use the returned handle in calls to the ImpersonateLoggedOnUser function.

When you no longer need this handle, close it by calling the CloseHandle function.

Remarks:

You can use LogonUser with ImpersonateLoggedOnUser to gain access to system resources using the access rights and security settings of a domain user. This access is not limited to simply launching a process, but resources such as disk files, registry keys, etc., may also be accessed.

Use the FreeHandle to close this handle and free any associated resources.

The following sample script, Impersonate.vbs, uses LogonUser and ImpersonateLoggedOnUser to gain access to system resources which might otherwise be unavailable.
Sub main(args)
Dim user
Dim domain
Dim password
'' set these in your environment, or here in the script
'' If you're running as a service, you will need to set these
'' as SYSTEM variables
user = TGCtrl.GetEnvironmentVariable (TSE_ENV_PERSISTENT, "USER")
domain = TGCtrl.GetEnvironmentVariable (TSE_ENV_PERSISTENT, "DOMAIN")
password = TGCtrl.GetEnvironmentVariable (TSE_ENV_PERSISTENT Or TSE_ENV_CRYPTO, "PASSWORD")
'' logon as user X
Dim hToken
hToken = TGCtrl.LogonUser(user,domain,password,LOGON32_LOGON_BATCH,LOGON32_PROVIDER_DEFAULT)
'' Impersonate user X
Dim ilu
ilu = TGCtrl.ImpersonateLoggedOnUser(hToken)
'' do whatever you want to do as user X
If ilu = true Then
	TGCtrl.Print ("This thread is now running as " + user)
Else
	TGCtrl.Print ("Unable to become " + user)
End If
'' all done with this user
TGCtrl.FreeHandle(hToken)
'' terminate impersonation for this thread
TGCtrl.RevertToSelf
End Sub

Requirements:

Version 1.0

See Also:

RevertToSelf, ImpersonateLoggedOnUser
Impersonate.vbs in the TaskGhost\Scripts directory.

Value	Meaning
LOGON32_LOGON_BATCH	This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. The LogonUser function does not cache credentials for this logon type.
LOGON32_LOGON_INTERACTIVE	This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operation, and is therefore inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_NETWORK	This logon type is intended for high performance servers to authenticate clear text passwords. The LogonUser function does not cache credentials for this logon type.
LOGON32_LOGON_NETWORK_CLEARTEXT	This logon type preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
LOGON32_LOGON_NEW_CREDENTIALS	This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.
LOGON32_LOGON_SERVICE	Indicates a service-type logon. The account provided must have the service privilege enabled.
LOGON32_LOGON_UNLOCK	This logon type is intended for GINA DLLs logging on users who will be interactively using the computer. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

Value	Meaning
LOGON32_PROVIDER_DEFAULT	Use the standard logon provider for the system. The default security provider is NTLM. The default provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case the default provider is NTLM.
LOGON32_PROVIDER_WINNT50	Windows XP/2000: Use the negotiate logon provider.
LOGON32_PROVIDER_WINNT40	Use the NTLM logon provider.
LOGON32_PROVIDER_WINNT35	Use the Windows NT 3.5 logon provider.