I have been looking for a way to login a user from a service running on the
local machine. The service logs on as Local System Account and is allowed to
interact with the desktop.

What I want to do is, assuming no one is logged on, is to have the service
log a specific user onto the system. This is for a high school computer lab.
We want to be able to log the user on from the instructor console. We already
have a console application that we use for various purposes like muting
volume, shutdown, etc.. Right now the client service is notified via a file
posted to a network drive, in the future I want to convert it to messaging.

I have read about LogonUser and impersonating users, but I'm not getting the
feeling that that would result in a typical Windows logon. Can I do what I
want? All PCs are Windows XP Pro.

Any ideas? Thanks.

I think you've provided the answer to your own question. :)  Take a
look at the information posted on this page on the MS site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecurityprincipalwindowsidentityclassimpersonatetopic.asp

The only way you can do what you want to do is with impersonation, and
the WindowsIdentity.Impersonate method provides this functionality.

Swat,

So I understand that between these lines the executing code has the
permissions of the impersonated user:


                ' Check the identity.
                Console.WriteLine(("After impersonation: " +
WindowsIdentity.GetCurrent().Name))

                ' Stop impersonating the user.
                impersonatedUser.Undo()

Maybe what I'm asking is how do I launch the Windows desktop on that
computer, as that user? I want to physically let that user use that machine,
not just in some program. I want to programmatically do the equivalent of
Ctrl-Alt-Delete and type in the password, so that that user is really,
visually, logged on.

Show quoteHide quote

The bulk of the logging on is done by the LogonUser method which is not
contained in .NET, but in one of the Win32 API DLLs.

bool returnValue = LogonUser(userName, domainName, Console.ReadLine(),
                LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
                ref tokenHandle);

To allow the user to interact with the desktop, you would have to set
the Local Security Policy (Local Security Policy > Security Settings >
Local Policies > User Rights Assignment) for that user to the same
rights as the Local System Account has on that machine.

HTH,
SWAT

Swat,

I made a successful call to LogonUser. I added a Beep() before and after the
call and I hear two beeps. The Event log also says the logon was successful
but the PC still stays at the XP logon screen. The user I am using is an
administrator. I don't know how to confirm if the Local Security Policy is
the same as for Local System. I'm debugging on a Windows XP Home and so I
don't have the ploicy editor.

Any suggestions?

Thanks

Show quoteHide quote

swat,

I have been reading this article:
http://www.microsoft.com/msj/0200/logon/logon.aspx

That provides some code for setting the WinStation and changing the ACLs. I
guess it really is that involved?


Show quoteHide quote

I'm not sure if I understand well what you would like to do, jquiet.
The logging on succeeded with the LogonUser method, you said? And now
you would like to manipulate the UI of Win XP?

I'm not familiar with Win XP Home, but am assuming that you checked in
Start > Control Panel > Administrative Tools for the Local Security
Policy (if present)? Administrators usually have many rights (I think
as much as the Local System account), but sometimes administrators are
excluded from certain user rights on machines. I'm not sure what you
could do to grant the Admin the proper user rights if you cannot set
user rights through the Local Security Policy.

In XP Home I don't have an icon for Local Security policy. However
http://support.microsoft.com/default.aspx?scid=kb;en-us;165194

Takes you through the steps of setting the appropriate rights and I believe
it says that if I use CreateProcessWithLogonW the rights are adjusted
automatically.

I don't know if I'm on the right track. Like I said before I just want to
enable some code in a service to essentially simulate Ctrl-Alt-Delete and
type in the user id and password, so that I don't have to walk over and type
in the password in front of the user. I'll trigger that code through some
mechanism which is not important to the discussion.

Show quoteHide quote

If a user is sitting at the computer, I don't think that automatically
logging on the user with LogonUser and then doing impersonation is what
you want. You would typically use impersonation when you want to
temporarily execute code in the context of another user and then revert
back to the original context.

If I understand you well, you just want to let the logon screen appear,
log on the user using your service, and then let the user continue
working physically at the computer.

Have you already looked into SendKeys?

I will look at SendKeys before I do anything else. I only worry about how to
make sure the screen is in the proper state. For instance if the user has
already put the cursor on the user name, I wouldn't want to send the
password. Luckily the computers are within sight distance so maybe I might be
able to do an extra Ctrl-Alt-Del to get the screen to a known starting point.

Show quoteHide quote

Running a program with elevated priveleges
Cannot open log for source {0}. You may not have write access. (Access right wanish after a while)
Getting user ID from Web Service credentials
Access to the path is denied: Assembly Permission Problem
Using HttpContext from a web server?
ISO/IEC 9797-1 MAC Algorithm 3 how to?
RSACryptoServiceProvider usage question
Parsing X.509 Digital Certificate newbie question
How do I filter an Active Directory search to an OU (organizational unit)?
code level / db security over network