def LsaEnumerateAccountRights(self, handle, sid):
keystring = "%s%%%s" % (handle, sid)
if not keystring in self.rightsfromhandlesid.keys():
try:
self.rightsfromhandlesid[
keystring] = win32security.LsaEnumerateAccountRights(
handle, sid)
except:
self.rightsfromhandlesid[keystring] = ""
return self.rightsfromhandlesid[keystring]
def ConfigureLogOnAsAServicePolicy(accountName):
# Modifies LocalSecurityPolicy to allow run buildbot as specified user
# You can do it manually by running "secpol.msc"
# Open Local Policies > User Rights Assignment > Log on as a service
# Add User or Group...
#
# Args:
# accountName(str): fully qualified string in the domain_name\user_name format.
# use ".\user_name" format for local account
SE_SERVICE_LOGON_RIGHT = "SeServiceLogonRight"
try:
if "\\" not in accountName or accountName.startswith(".\\"):
computerName = os.environ['COMPUTERNAME']
if not computerName:
computerName = win32api.GetComputerName()
if not computerName:
print("error: Cannot determine computer name")
return
accountName = "{}\\{}".format(computerName,
accountName.lstrip(".\\"))
account = win32security.LookupAccountName(None, accountName)
accountSid = account[0]
sid = win32security.ConvertSidToStringSid(accountSid)
except win32api.error as err:
print("error {} ({}): {}".format(err.winerror, err.funcname,
err.strerror))
return
with GetLocalSecurityPolicyHandle(
'', win32security.POLICY_ALL_ACCESS) as policy:
win32security.LsaAddAccountRights(policy, accountSid,
[SE_SERVICE_LOGON_RIGHT])
# verify if policy was really modified
with GetLocalSecurityPolicyHandle(
'', win32security.POLICY_ALL_ACCESS) as policy:
try:
privileges = win32security.LsaEnumerateAccountRights(
policy, accountSid)
except win32api.error as err:
# If no account rights are found or if the function fails for any other reason,
# the function returns throws winerror.ERROR_FILE_NOT_FOUND or any other
print("error {} ({}): {}".format(err.winerror, err.funcname,
err.strerror))
privileges = []
if SE_SERVICE_LOGON_RIGHT in privileges:
print("Account {}({}) has granted {} privilege.".format(
accountName, sid, SE_SERVICE_LOGON_RIGHT))
else:
print("error: Account {}({}) does not have {} privilege.".format(
accountName, sid, SE_SERVICE_LOGON_RIGHT))
win32con.SE_PRIVILEGE_ENABLED) ##doesn't seem to be in ntsecuritycon.py ?
)
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(
ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES)
win32security.AdjustTokenPrivileges(th, 0, new_privs)
policy_handle = win32security.GetPolicyHandle('',
win32security.POLICY_ALL_ACCESS)
tmp_sid = win32security.LookupAccountName('', 'tmp')[0]
privs = [
ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME,
ntsecuritycon.SE_RESTORE_NAME, ntsecuritycon.SE_REMOTE_SHUTDOWN_NAME
]
win32security.LsaAddAccountRights(policy_handle, tmp_sid, privs)
privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
print(priv)
privs = [ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME]
win32security.LsaRemoveAccountRights(policy_handle, tmp_sid, 0, privs)
privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
print(priv)
win32security.LsaClose(policy_handle)
