Home > database >  LogonUser Doesn't work for a user in the Protected Users group
LogonUser Doesn't work for a user in the Protected Users group

Time:04-01

Trying to use LogonUser() function under a service running as Local System. Has been successful in trying to authenticate users. However, when a user is in the the Protected Users group, the function fails.

HANDLE hToken = NULL;
BOOL bSuccess = LogonUser(username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken);
if (hToken != NULL) CloseHandle(hToken);

Calling GetLastError() results in an error code of 1327. If the user is removed from the Protected Users group, then the API call succeeds.

Reading up on some of the documentation for the Protected Users group, it looks like I need to use a different method than LogonUser(). The Protected Users group is a builtin Windows security group that is more restrictive than regular domain users for security reasons. Anybody know a Windows API that would work for authentication of a user in the Protected Users group?

CodePudding user response:

Actually this API does work for Protected Users. The issue I had was that I was calling the API with the domain being an empty string, e.g. "". It was being called from C#...

For regular domain users, calling LogonUser with the domain being "", authenticated them just fine. However, for users in the Protected Users group, it would fail with Last Error being 1327. However, if I put the domain name in the domain parameter, it works. No need for Kerberos Authentication or anything like that.

  • Related