How to clear the cache which is used by AuthzGetInformationFromContext API? - windows

I have a domain and I use AuthzGetInformationFromContext API on the client machine to retrieve sid of the groups to which a user belongs.
It works fine. However, if I add the user to some group or remove him from some group on domain controller, this API will still show old list of groups. In the case, if i will wait 10 minutes or more, it will show updated list of groups.
I tried to do this on different computers and saw that the application will show updated list of groups at a different time. So, it's not a domain controller cache.
Also, my applications exits and starts again. So, it's not application level cache either.
So, I believe there is some computer level cache for group membership (retrieved through this API).
Does anybody know how to clear this cache programmatically or change some settings to decrease this 10 minutes interval to something shorter.

Accordig to this post and Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1, You can purge the Kerberos TGT (and all your service tickets) using something like klist purge (The tool is present on Windows Seven). You have to run the tool locally on the machine the user is logged in to.
You can find the source of Klist.exe in the Windows Platform SDK (the API in us is LsaCallAuthenticationPackage)
C:\Program Files\Microsoft SDKs\Windows\v7.0\Samples\security\authorization\klist

Related

Trigger a Logon Event on specific Domain Controller

Our Problem:
We are using FortiGate in our company with ~2200 Clients. Most of them are using Notebooks. Some people can't connect to the Internet, when they come to the office after days working in home office. Our Fortigate is configured to watch the LogonEvents (EDIT:To be more specific: the attribute "lastlogon") of the Userobject on the Domaincontroller (we have 5) and authenticate the user with the IP of the device. This fails sometimes. Our network-guys are looking at this problem, but in the meantime i have to find solutions on the client-side
One workaround I found is to trigger a User LogonEvent via powershell on the client.
New-PsSession -ComputerName $Env:ComputerName -ErrorAction ignore
But most of the times it creates the User LogonEvent on one specific Domain Controller (mostly the default Logonserver), which is maybe faulty. It's the same when you lock your device and log back in.
Does somebody know another way to create a LogonEvent via Powershell or Batch, where I can select the authenticating Domain Controller? Like, iterating through all our Domain Controllers to create such event on the client.
Edit: Unfortunately, the command has to run with User Permissions.
Edit: Maybe it helps if I tell you my overall goal:
Every client gets a scheduled task via GPO which runs in User-Context
It gets triggerd by event 10000 from source Microsoft-Windows-NetworkProfile (network change)
A powershell script checks if the internet connection is working
If not, the script would try to trigger a LogonEvent on different Domain Controllers to be sure, the Fortigate Agent gets at least one of them.
Mathias has the right idea, but just creating a DirectoryEntry object (which is what [ADSI] is a type accelerator for) doesn't make a network request until you actually use it.
This will tell it to retrieve the name attribute of the root of the domain (any attribute would do - you just need it to get something):
[ADSI]::new("LDAP://domainController.fqdn", "svc_username", "p#ssW0rd").RefreshCache("name")

Force User Log In with a Windows Service

Is it possible for a Windows service to force a user to login from the windows user login screen? I've seen where LogMeIn can do it. This is assuming, of course, that I have both the username and password for the user.
Is LogMeIn using an actual method (non-automated), or are they simply quickly automating the task of logging in my selecting the username and password fields and typing it in?
You should create a WindowStation, and a Desktop inside that. Your service would create the WindowStation and connect that to the user you want to log in, then I suppose you would periodically take a screenshot of the created desktop to present somewhere else.
You may want to start reading the documentation at https://msdn.microsoft.com/en-us/library/windows/desktop/ms687105%28v=vs.85%29.aspx and linked pages, then ask a more specific question.
I don't know if this method can be used to log in at the Console (the window station attached to the physical video card/keyboard of the computer), but if this has to happen automatically I'd avoid using the Console, but a separate Window Station.
EDIT: as it happens to say on the very page I linked (my bad), if a session for the user exists and the service tries to connect to it, it is opened; if it does not exist then it is created anew, and a desktop (named "default") is attached to it. If your service only has to log the interactive user in you should use the auto-login feature of windows instead.
Yes, you can auto login using Windows.
You didn't specify OS but for Windows 7/8 read this, and for Server 2003/2008 (and possibly 2012, but I haven't checked)
check out this Microsoft article.

Is a serviced component shared between user sessions on a terminal server, or is one process started for each user session?

I have some .NET code in a COM+/Enterprise Services serviced component. I communicate with this component from a WPF application and also from a legacy VBA application.
This arrangement works well when only one user is logged on to a machine. The component starts in its own process when either the .NET or the legacy application instantiates one of its COM objects.
The system also works for the first user to try to run it on a terminal server installation. However, when another user logs on, he/she is unable to use the application. I had hoped that each session would run in isolation, and that one host process would run per session. Am I wrong in this expectation?
In Component Services on the Activation tab my application is configured to run as a "Server application". On the Identity tab, "Interactive user" is selected. On the Security tab, "Enforce access checks for this application" is unchecked.
There isn't session isolation as you describe, instead process ownership limits what you have access to.
Your conclusion seems correct & you will need to determine a suitable mechanism to exchange data with the service.
I used WCF to create a service with a net named pipe listener https://learn.microsoft.com/en-us/dotnet/framework/wcf/index
The idea of using proxies to make rpc calls is attractive, but I found the proxy definitions and stubs to link it all together quite clumsy to use.
If you have events that may be triggered at either end then keeping client/service in sync becomes problematic.
AIUI you cannot invoke a rpc method that ends up invoking an rpc back at the originating end, although that could be a named pipe limitation.
If I was doing this again I would use a socket server in the service & the websocket protocol for biderectional data transfer, even though you might need to implement some thread handling to avoid the listener thread blocking whilst servicing requests.
Hard to find anything authoritative on this. For standard COM you can set the identity to 'Launching user'. The same is not available for COM+.
According to this archived post,
A COM+ application can be configured to run under the logged in account, or
a specified account. Under the application properties, see the Identity tab.
...
Once set however, it remains under that account until the application shuts
down, so you can't have multiple users using the same COM+ application under
different IDs.
That seems to match what is said in this knowledge base article too.
My conclusion is, I should probably accept that my component must run once per machine rather than once per session. It will need to be modified to accommodate this. Since it needs to start new processes in individual sessions, it will have to run as a Windows service under the Local System account (giving due attention to the security implications).

Detect user is about to log in in Windows 7/8

I need to write a little windows service that should detect when a user is attempting to log in and deny access according to certain criteria, like the hour.
So, I researched the way the Windows Family Safety works when a child has hour restriction, and I noticed that the message received by the user(child) is similar or identical to the one received when a restriction is set using
net user User /time:etc, etc.
so I suspect that's what the Family Safety use.
However, I would like to interact with the "net" command programatically, and besides that I would like to know if there's an event to watch for when a user is attempting to login, or the user has just logged in.
Which Windows API should I look for to get this functionality?
The "net user" commands are available programmatically through the Network Management API. As an example, you can use the NetUserSetInfo function along with the USER_INFO_1020 structure to set the times during which a user can log on.

How to identify users which are connected to a windows server via remote desktop

At my workplace, we have lab machines that we use to do our testing.
The standard procedure to reserve a machine for testing was to walk around the office to make sure that no one was using the machine.
This is highly inefficient and time consuming.
At first, I set up a web page where people could reserve the lab machine but nobody was keeping the page updated so that turned up to be useless.
I finally found a solution using Microsoft log parser and wanted to share it to the stack overflow community.
It is a batch file that runs on the machine so the user can identify the last users that use the machine and easily IM them to ask if the machine is free.
Is there a better solution to do this?
Use the built-in command qwinsta (Query Win Station) to figure out what sessions (including console) are active or inactive (disconnected) and then act on the given information (creds to krusty.ar btw for linking this already).
If you feel people are abusing the machine in question, refer to rwinsta to nuke their sessions into oblivion...
You will need to install the Microsoft Log Parser
Then create the following 2 files
TSLoginsDetails.sql
SELECT
timegenerated,
EXTRACT_TOKEN(Strings,1,'|') AS Domain,
EXTRACT_TOKEN(Strings,0,'|') AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
EXTRACT_TOKEN(Strings,4,'|') AS ClientName,
EXTRACT_TOKEN(Strings,5,'|') AS ClientAddress,
EventID
FROM Security
WHERE EventID=682
ORDER BY timegenerated DESC
TSLogins.bat
echo off
cls
c:
cd "c:\Program Files\Log Parser 2.2\"
logparser.exe file:TSLoginsDetails.sql -o:DATAGRID
Now by placing this batch file on the desktop, the user can see who were the last people to login and contact them by IM to verify if they are done.
How about posting the information from the log file to the website that tells who is currently using the machine as well.
Check and notify when they log in.
Updated the "who is using the machine" page you made prior.
Run a AT job that checks every couple of hours who is on it.
Totally out of the box:
You can install the Software Testing Automation Framework (STAF) on your servers and desktops to manage your tests. It's written in Java, so you can use it on Windows and Unix/Linux desktops and servers.
Using STAF, you can create a resource pool of test servers on which you conduct tests, then write STAX jobs (STAX is a STAF execution framework) to conduct the tests. The job can grab the first available server from the resource pool, run the test, monitor the test status, log results, notify the submitter, then release the server back into the pool when done. If you have multiple people submitting jobs for tests, STAF will manage the queue of requests and satisfy them as they came in. Users can either monitor the job from their desktop, or you can set up email alerts to notify them when the test is complete.
I'm not sure if I understand you, but there are a set of command line tools to deal with terminal server sessions, and there's also a Windows API to do the same if you need to do this from a program.
Since it sounds like you're a microsoft shop, you can set up the machines as resources in outlook/exchange and reserve them that way.

Resources