def LsaEnumerateAccountRights(self, handle, sid): keystring = "%s%%%s" % (handle, sid) if not keystring in self.rightsfromhandlesid.keys(): try: self.rightsfromhandlesid[ keystring] = win32security.LsaEnumerateAccountRights( handle, sid) except: self.rightsfromhandlesid[keystring] = "" return self.rightsfromhandlesid[keystring]
def ConfigureLogOnAsAServicePolicy(accountName): # Modifies LocalSecurityPolicy to allow run buildbot as specified user # You can do it manually by running "secpol.msc" # Open Local Policies > User Rights Assignment > Log on as a service # Add User or Group... # # Args: # accountName(str): fully qualified string in the domain_name\user_name format. # use ".\user_name" format for local account SE_SERVICE_LOGON_RIGHT = "SeServiceLogonRight" try: if "\\" not in accountName or accountName.startswith(".\\"): computerName = os.environ['COMPUTERNAME'] if not computerName: computerName = win32api.GetComputerName() if not computerName: print("error: Cannot determine computer name") return accountName = "{}\\{}".format(computerName, accountName.lstrip(".\\")) account = win32security.LookupAccountName(None, accountName) accountSid = account[0] sid = win32security.ConvertSidToStringSid(accountSid) except win32api.error as err: print("error {} ({}): {}".format(err.winerror, err.funcname, err.strerror)) return with GetLocalSecurityPolicyHandle( '', win32security.POLICY_ALL_ACCESS) as policy: win32security.LsaAddAccountRights(policy, accountSid, [SE_SERVICE_LOGON_RIGHT]) # verify if policy was really modified with GetLocalSecurityPolicyHandle( '', win32security.POLICY_ALL_ACCESS) as policy: try: privileges = win32security.LsaEnumerateAccountRights( policy, accountSid) except win32api.error as err: # If no account rights are found or if the function fails for any other reason, # the function returns throws winerror.ERROR_FILE_NOT_FOUND or any other print("error {} ({}): {}".format(err.winerror, err.funcname, err.strerror)) privileges = [] if SE_SERVICE_LOGON_RIGHT in privileges: print("Account {}({}) has granted {} privilege.".format( accountName, sid, SE_SERVICE_LOGON_RIGHT)) else: print("error: Account {}({}) does not have {} privilege.".format( accountName, sid, SE_SERVICE_LOGON_RIGHT))
win32con.SE_PRIVILEGE_ENABLED) ##doesn't seem to be in ntsecuritycon.py ? ) ph = win32api.GetCurrentProcess() th = win32security.OpenProcessToken( ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES) win32security.AdjustTokenPrivileges(th, 0, new_privs) policy_handle = win32security.GetPolicyHandle('', win32security.POLICY_ALL_ACCESS) tmp_sid = win32security.LookupAccountName('', 'tmp')[0] privs = [ ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME, ntsecuritycon.SE_RESTORE_NAME, ntsecuritycon.SE_REMOTE_SHUTDOWN_NAME ] win32security.LsaAddAccountRights(policy_handle, tmp_sid, privs) privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid) for priv in privlist: print(priv) privs = [ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME] win32security.LsaRemoveAccountRights(policy_handle, tmp_sid, 0, privs) privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid) for priv in privlist: print(priv) win32security.LsaClose(policy_handle)