Parameters
hToken
A handle to the primary token that represents a user. The handle must have the TOKEN_QUERY, TOKEN_DUPLICATE, and TOKEN_ASSIGN_PRIMARY access rights. For more information, see Access Rights for Access-Token Objects. The user represented by the token must have read and execute access to the application specified by the lpApplicationName or the lpCommandLine parameter.
To get a primary token that represents the specified user, call the LogonUser function. Alternatively, you can call the DuplicateTokenEx function to convert an impersonation token into a primary token. This allows a server application that is impersonating a client to create a process that has the security context of the client.
Terminal Services: The process is run in the session specified in the token. By default, this is the same session that called LogonUser. To change the session, use the SetTokenInformation function.
Access Rights for Access-Token Objects
An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.
To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.
The following are valid access rights for access-token objects:
The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
The specific access rights for access tokens, which are listed in the following table.Value Meaning
TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or DACL of an access token.
TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an access token.
TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access token.
TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
TOKEN_DUPLICATE Required to duplicate an access token.
TOKEN_EXECUTE Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
TOKEN_IMPERSONATE Required to attach an impersonation access token to a process.
TOKEN_QUERY Required to query an access token.
TOKEN_QUERY_SOURCE Required to query the source of an access token.
TOKEN_READ Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
TOKEN_ALL_ACCESS Combines all possible access rights for a token.
Send comments about this topic to Microsoft
Build date: 8/15/2007
LogonUser Function
The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser was called. You cannot use LogonUser to log on to a remote computer. You specify the user with a user name and domain and authenticate the user with a plaintext password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to impersonate the specified user or, in most cases, to create a process that runs in the context of the specified user.
The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
The SetTokenInformation function sets various types of information for a specified access token. The information that this function sets replaces existing information. The calling process must have appropriate access rights to set the information.
虽然管理员在不知道另一个用户的登录密码的情况下,无法通过LogonUser receive a handle to a token that represents the logged-on user;
但管理员可以
临时创建一个和该用户一样权限的新用户,设置对应新密码,再通过LogonUser receive a handle to a token that represents the logged-on user
或者
修改该用户的登录密码,再通过LogonUser receive a handle to a token that represents the logged-on user
Parameters
hToken
A handle to the primary token that represents a user. The handle must have the TOKEN_QUERY, TOKEN_DUPLICATE, and TOKEN_ASSIGN_PRIMARY access rights. For more information, see Access Rights for Access-Token Objects. The user represented by the token must have read and execute access to the application specified by the lpApplicationName or the lpCommandLine parameter.
To get a primary token that represents the specified user, call the LogonUser function. Alternatively, you can call the DuplicateTokenEx function to convert an impersonation token into a primary token. This allows a server application that is impersonating a client to create a process that has the security context of the client.
Terminal Services: The process is run in the session specified in the token. By default, this is the same session that called LogonUser. To change the session, use the SetTokenInformation function.
Access Rights for Access-Token Objects
An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.
To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.
The following are valid access rights for access-token objects:
The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
The specific access rights for access tokens, which are listed in the following table.Value Meaning
TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or DACL of an access token.
TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an access token.
TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access token.
TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
TOKEN_DUPLICATE Required to duplicate an access token.
TOKEN_EXECUTE Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
TOKEN_IMPERSONATE Required to attach an impersonation access token to a process.
TOKEN_QUERY Required to query an access token.
TOKEN_QUERY_SOURCE Required to query the source of an access token.
TOKEN_READ Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
TOKEN_ALL_ACCESS Combines all possible access rights for a token.
Send comments about this topic to Microsoft
Build date: 8/15/2007
LogonUser Function
The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser was called. You cannot use LogonUser to log on to a remote computer. You specify the user with a user name and domain and authenticate the user with a plaintext password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to impersonate the specified user or, in most cases, to create a process that runs in the context of the specified user.
The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
The SetTokenInformation function sets various types of information for a specified access token. The information that this function sets replaces existing information. The calling process must have appropriate access rights to set the information.
虽然管理员在不知道另一个用户的登录密码的情况下,无法通过LogonUser receive a handle to a token that represents the logged-on user;
但管理员可以
临时创建一个和该用户一样权限的新用户,设置对应新密码,再通过LogonUser receive a handle to a token that represents the logged-on user
或者
修改该用户的登录密码,再通过LogonUser receive a handle to a token that represents the logged-on user