Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Exchange Server / Applications / January 2007

Tip: Looking for answers? Try searching our database.

how to run a exe in DOMAIN ADMIN privilege from a local admin account?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
shivaraj - 04 Jan 2007 04:30 GMT
Hi,
   I have a native C++ exe to fetch exchange server information. This
will fetch all exchange server mailbox info when I connect to windows
machine as "DOMAIN ADMIN" and run this exe.
    But my requirement is to connect as local system admin and
run this exe using domain admin privileges. ( this is because there are

other components in my product which does not need domain admin
privileges and this perticular exe has to be called from these
components).
   So, is there any way I can achieve this by using Threads (or any
other way) which will take domain admin privileges and run this exe for

me from local admin context?
Any suggestions/directions will be much appriciated.

Regards,
Shivaraj
Reply to this Message
Henning Krause [MVP - Exchange] - 04 Jan 2007 11:23 GMT
Hello,

you can use LogonUser to create a usertoken and impersonate that token using
ImpersonateLoggedOnUser. That way, your thread runs under the different
credential. You'll have to store the password for the account somewhere
though. Another option is to encapsulate the Exchange logic in a COM+
component and configure it to run under the domain admin account.

By the way, how do you access the Exchange store? If you use WebDAV or ADO,
you can simply pass a username/password combination...

Best regards,
Henning Krause

> Hi,
>    I have a native C++ exe to fetch exchange server information. This
[quoted text clipped - 14 lines]
> Regards,
> Shivaraj
Reply to this Message
shivaraj - 11 Jan 2007 15:23 GMT
Hi  Henning Krause,

Thanks for your inputs. I am using MAPI to collect Exchange
information. So is there any easy way with MAPI to achieve the same?

Regards,
Shivaraj
> Hello,
>
[quoted text clipped - 28 lines]
> > Regards,
> > Shivaraj
Reply to this Message
Henning Krause [MVP - Exchange] - 11 Jan 2007 16:03 GMT
Hello,

I'm no MAPI expert... but I suppose you can specify  a username/password
during MAPI logon, can't you?

Best regards,
Henning Krause

> Hi  Henning Krause,
>
[quoted text clipped - 37 lines]
>> > Regards,
>> > Shivaraj
Reply to this Message
Dan Mitchell - 11 Jan 2007 17:16 GMT
> I'm no MAPI expert... but I suppose you can specify  a
> username/password during MAPI logon, can't you?

No, you can't -- you were right with LogonUser/ImpersonateLoggedOnUser,
that's how you change the identity of your process, and then you go on and do
things from there.

See http://blogs.msdn.com/stephen_griffin/archive/2005/04/13/407925.aspx for
more on MAPI and impersonation.

-- dan
Reply to this Message
shivaraj - 16 Jan 2007 09:56 GMT
Hi Henning Krause/Dan,
   Thanks for your guidance on this. But even after Impersonating
also, I am unable to open exchange private/public stores. Could anyone
please help me out in finding the root cause?
---------------------------------------------
THIS IS HOW MAIN METHOD LOOKS LIKE THIS :

main() {

HANDLE retval;
if (LogonUser( "shivaraj@exchdomain.com", "", "password",
LOGON32_LOGON_INTERACTIVE,
           LOGON32_PROVIDER_DEFAULT, &retval)) {

   printf("User logged on sucessfull.\n");
   lngError = ImpersonateLoggedOnUser(retval);
   if(lngError){
       printf("\nimpersonate succeded");
   }
}

/*  here with i have put my exchange specific code to retrieve exchange
server mailbox information*/

//after this i am closing handle
CloseHandle(retval);
} //end of main
--------------------------------------------------
I am getting
"User logged on sucessfull" and
"impersonate succeded" as result.
So it seems there is no issues with impersonation but still i am unable
to open private store ( i.e HrOpenExchangePrivateStore function call).
Any idea why this is so?

Regards,
Shivaraj

> > I'm no MAPI expert... but I suppose you can specify  a
> > username/password during MAPI logon, can't you?
[quoted text clipped - 7 lines]
>
>  -- dan
Reply to this Message
Dan Mitchell - 18 Jan 2007 17:56 GMT
>     Thanks for your guidance on this. But even after Impersonating
> also, I am unable to open exchange private/public stores. Could anyone
[quoted text clipped - 3 lines]
> LOGON32_LOGON_INTERACTIVE,
>             LOGON32_PROVIDER_DEFAULT, &retval)) {

Are you sure you want the "@" in the username there? I've only ever
used LogonUser with just the username, the second argument is the domain
you should log in to.

>     printf("User logged on sucessfull.\n");

And just because you're getting non-zero back from this, I wouldn't
assume everything is working properly. What happens if (for example) you
try and read a file that only the impersonated user can read, the
original user can't? That's a good way to check that the impersonation
is really working as you think.

Did you read the post on Stephen's blog? There's a lot more info there,
and also in the comments.

-- dan
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.