c# - 如何通过添加注册表项将用户添加到“从网络访问此计算机”本地策略？

Question

您知道如何在本地政策中添加用户吗？我需要这样的效果

gpedit.msc -> 计算机配置/Windows 设置/安全设置/本地策略/用户权限分配/“从网络访问这台计算机”

我想通过添加注册表项或从 cmd 运行命令来做到这一点。如果您有任何提示或互联网资源要分享，我会很高兴。

谢谢。

Answer 1

这是我之前准备的一个。我们使用下面的（冗长，抱歉）包装类来授予“作为服务登录的权利”。对此的呼吁如下：

var identity = new WindowsIdentity(logonName);
LsaSecurityWrapper.AddAccountRights(identity.User.AccountDomainSid,
    "SeServiceLogonRight");

您只需要用您自己的替换“SeServiceLogonRight”。一个快速的谷歌告诉我这应该是“SeNetworkLogonRight”。如果你想在控制台应用程序中使用它，那么你可以快速编译一个。像这样设置你的Main方法：

static void Main(string[] args)
{
    var identity = new WindowsIdentity(args[0]);
    LsaSecurityWrapper.AddAccountRights(identity.User.AccountDomainSid, args[1]);
}

然后调用为YourConsoleApp.exe logon right。这是包装：

[StructLayout(LayoutKind.Sequential)]
internal struct LSA_OBJECT_ATTRIBUTES
{
    internal int Length;
    internal IntPtr RootDirectory;
    internal IntPtr ObjectName;
    internal int Attributes;
    internal IntPtr SecurityDescriptor;
    internal IntPtr SecurityQualityOfService;
}

/// 
/// LSA_UNICODE_STRING structure
/// 
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct LSA_UNICODE_STRING
{
    internal ushort Length;
    internal ushort MaximumLength;
    [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer;
}

/// 
/// Wraps LsaAddAccountRights call.
/// 
public sealed class LsaSecurityWrapper
{
    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaOpenPolicy(
        LSA_UNICODE_STRING[] SystemName,
        ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
        int AccessMask,
        out IntPtr PolicyHandle
        );

    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaAddAccountRights(
        LSA_HANDLE PolicyHandle,
        IntPtr pSID,
        LSA_UNICODE_STRING[] UserRights,
        int CountOfRights
        );

    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaRemoveAccountRights(
        LSA_HANDLE PolicyHandle,
        IntPtr AccountSid,
        bool AllRights,
        LSA_UNICODE_STRING[] UserRights,
        int CountOfRights
        );

    [DllImport("advapi32")]
    internal static extern int LsaClose(IntPtr PolicyHandle);

    private enum Access : int
    {
        POLICY_READ = 0x20006,
        POLICY_ALL_ACCESS = 0x00F0FFF,
        POLICY_EXECUTE = 0X20801,
        POLICY_WRITE = 0X207F8
    }

    // rights: (http://msdn.microsoft.com/en-us/library/bb545671(VS.85).aspx)
    public static void AddAccountRights(SecurityIdentifier sid, string rights)
    {
        IntPtr lsaHandle;

        LSA_UNICODE_STRING[] system = null;
        LSA_OBJECT_ATTRIBUTES lsaAttr;
        lsaAttr.RootDirectory = IntPtr.Zero;
        lsaAttr.ObjectName = IntPtr.Zero;
        lsaAttr.Attributes = 0;
        lsaAttr.SecurityDescriptor = IntPtr.Zero;
        lsaAttr.SecurityQualityOfService = IntPtr.Zero;
        lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
        lsaHandle = IntPtr.Zero;

        uint ret = LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle);
        if (ret == 0)
        {
            Byte[] buffer = new Byte[sid.BinaryLength];
            sid.GetBinaryForm(buffer, 0);

            IntPtr pSid = Marshal.AllocHGlobal(sid.BinaryLength);
            Marshal.Copy(buffer, 0, pSid, sid.BinaryLength);

            LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];

            LSA_UNICODE_STRING lsaRights = new LSA_UNICODE_STRING();
            lsaRights.Buffer = rights;
            lsaRights.Length = (ushort)(rights.Length * sizeof(char));
            lsaRights.MaximumLength = (ushort)(lsaRights.Length + sizeof(char));

            privileges[0] = lsaRights;

            ret = LsaAddAccountRights(lsaHandle, pSid, privileges, 1);

            LsaClose(lsaHandle);

            Marshal.FreeHGlobal(pSid);

            if (ret != 0)
            {
                throw new Win32Exception("LsaAddAccountRights failed with error code: " + ret);
            }
        }
        else
        {
            throw new Win32Exception("LsaOpenPolicy failed with error code: " + ret);
        }
    }
}

Answer 2

我怀疑你需要使用 pinvoke 并环绕适当的 Lsa 函数， http: //msdn.microsoft.com/en-us/library/windows/desktop/ms721786 (v=vs.85).aspx http:// /www.pinvoke.net/default.aspx/advapi32.lsaaddaccountrights