The SetTokenInformation function can change many properties of a Windows token. Unfortunately, it cannot change the logon SID (TokenLogonSid). If you pass that value to indicate that you want to change the logon SID, the function will fail with code 87, "the parameter is incorrect." It doesn't seem to matter whether the calling process has SeTcbPrivilege.
It seems new tokens created with something like LogonUser always have the logon SID of their creating process. LsaLogonUser looks like a good alternative, since it lets you specify the groups the token includes (so you could add the logon SID there). The only disadvantage with that approach is that it requires a lot of special marshaling if you're calling it from managed code.
No comments:
Post a Comment