I am using the LsaAddAccountRights function to assign SE_SERVICE_LOGIN_RIGHT to specified local machine/domain accounts during installation of my service.
During the call to LsaOpenPolicy I pass both flags POLICY_CREATE_ACCOUNT and POLICY_LOOKUP_NAMES as parts of the access mask - and all things are working great.
I am just worried about having POLICY_CREATE_ACCOUNT as one of the flags, as the function documentation for LsaAddAccountRights reads:
The LsaAddAccountRights function assigns one or more privileges to an account. If the account does not exist, LsaAddAccountRights creates it.
I am unclear in which context this account gets created.
When I do not add POLICY_CREATE_ACCOUNT access as part of the access flags to LsaOpenPolicy I can not add SE_SERVICE_LOGIN_RIGHT to an existing account - hence I need to add this flag.
I don't want to be somehow adding accounts when the user misspells the account name.
Aucun commentaire:
Enregistrer un commentaire