I'm writing a Windows device driver for a custom USB device, but am having trouble opening the device from my user program (using CreateFile) when the user program is run as a domain user. If I run as a local user, or as an administrator (or 'Run As' administrator) I can open the driver fine, but as a domain user GetLastError returns 5 (access denied).
I originally had this problem with local users too, and found I had to add the following SDDL entry to the .inf file, which solved the problem for local users:
HKR,,Security,,"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW;;;BU)
From this reference:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563667(v=vs.85).aspx
When I discovered that domain users did not have access I thought that simply adding them to this SDDL entry would give them access, but it doesn't seem to work: I still get access denied. I've even tried extreme solutions such as giving all users (everyone (WD), unauthenticated users etc.) full access, but this doesn't work either, which makes me think the problem lies elsewhere; i.e. something else is denying domain users access which takes precedent over the permit in the SDDL entry in the driver inf.
So my question is, what am I missing that is required to give domain users (or all users) access to connect to the driver? Or are there any other solutions to this problem (such as connecting to the driver as a service and then accessing this service from the user program)?
HKR,,Security,,"D:P(A;;GA;;;WD)"
set everyone can access, try it!
Related
I'm investigating a failure in my Windows 10 Credential Provider. It calls out to LookupAccountName in order to get the SID of the user that is attempting to log in. Its per-user configuration uses the account SID as the key.
The failure scenario is as follows:
There is a mixture of local and domain accounts on a domain joined computer.
The computer is in an offline or otherwise disconnected state and cannot contact the domain controller.
The domain user has logged in to this computer in the past and its credential is cached.
The call to LookupAccountName fails with ERROR_TRUSTED_RELATIONSHIP_FAILURE (0x6FD)
Here's where things are interesting:
I can log in with a local account and then "Run As" the domain user. Then subsequent calls to LookupAccountName (even when run in the context of the local user) succeeds in looking up the SID of the domain user. It will continue to work until the computer is rebooted.
I've tried calling LookupAccountName as well as LsaLookupNames2. Both exhibit the same behavior. (I assume LookupAccountName is built off of LsaLookupNames2).
It doesn't look like the NetUser* APIs will help me, as I believe they are intended for local accounts.
Is there a way to lookup the account SID for an offline domain credential? Without requiring them to log in first?
Why does using "Run As" cause these APIs to suddenly work?
I need to call WNetGetConnection to get the UNC path and it works good when application run as standard user but it returns 1201(ERROR_CONNECTION_UNAVAIL) error code when application run as admin. According to the documentation its working as expected.
If the network connection was made using the Microsoft LAN Manager
network, and the calling application is running in a different logon
session than the application that made the connection, a call to the
WNetGetConnection function for the associated local device will fail.
The function fails with ERROR_NOT_CONNECTED or
ERROR_CONNECTION_UNAVAIL. This is because a connection made using
Microsoft LAN Manager is visible only to applications running in the
same logon session as the application that made the connection. (To
prevent the call to WNetGetConnection from failing it is not
sufficient for the application to be running in the user account that
created the connection.)
that means its not possible at all to get the UNC path from the app running as admin ? Is there some other way ?
This is by design. Network shares created by a non-elevated account are not visible under elevation, and vice versa.
See this question on Super User for discussion of the issue. There is apparently a registry setting that enables mapped drives to be shared between elevated and non-elevated accounts but I've never tried it myself.
Network connections cannot normally be shared across different Windows login sessions. This is regardless of admin account / elevation level. Each Windows login or impersonation session needs to create its own network connections.
I'm opening a drive directly via CreateFile to get a handle so I can send scsi commands via IOCtl to custom hardware (which presents as a mass storage device) from a windows service.
The problem is that in order to do this my service needs to run as an administrator (or I get access denied errors). In practice this won't be problem under most circumstances (usually we run as Local System) but under some circumstances we run as a domain account so is there a permission I can give to a domain user account to allow access that is a little finer grained than local administrator to get this working?
Device Driver access permissions for domain users in Windows 7 and SPTI/SCSI operations from a Windows 7 application are variants of the same question but don't give that finer grained answer.
I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm
What would cause an emulator unable to view the network UNC shares? When attempting to open any computer on the network via 'Open Path' or Internet Explorer, I am tossed "The network path was not found." followed by "Network resource cannot be found or you do not have permission to access the network." Things to note:
Connecting to the IP address does not work.
I am able to browse the internet via the emulator.
ActiveSync has been configured appropriately and I have installed the needed drivers for the adapter, and the emulator is cradled.
Firewall disabled/setup with correct forwardings.
Network folder permissions are setup properly.
What strikes me as odd is I have also attempted to browse UNC shares on a physical Windows Mobile 5 device, with the same issue. This leads me to believe something within our network settings is causing this but I'm not sure where to start. People have recommended checking ActiveDirectory security policies, but what policies affect UNC shares? This has turned into a rather serious issue because until I am able to resolve this, I am unable to go through with setting up merge replication. Has anyone experienced this and successfully resolved this issue?
Your network is looking for authentication.
I get that here at my work place, too.
As long as your network key is entered correctly, you should be able to try browsing to that same path 2 or 3 more times, still getting those same obnoxious ("The network path was not found." followed by "Network resource cannot be found or you do not have permission to access the network.") messages.
At one of those times, a login box should appear where you type in a Username, Password, and Domain.
You will also have the ability at this point to save your password so you are not prompted for it every time you attempt to access something across your network.
Now here's the real crapper: After you save your Username/Password combination, there does not appear to be any mechanism within the Windows Mobile device to change that password after it expires on your network. You will never be prompted again to change that password, either. You will only get one of those silly messages above because your password is incorrect.
The only solution to this seems to be to reset the device. I have had a question open with Microsoft for about 3 years now, and it has been passed from one forum to another. I've finally just decided that it must not be able to be done, but Microsoft has never written back to tell me that.