我有以下工作:使用 GPMC,我可以在以下情况下在域控制器上创建 GPO:
- 我的应用程序作为控制台应用程序运行,以域用户身份登录。
- 我将我的应用程序安装为域用户帐户 Windows 服务。
但是,当我将服务作为“本地服务”运行时,在尝试创建 GPO 时出现访问被拒绝异常:
System.UnauthorizedAccessException:访问被拒绝。(来自 HRESULT 的异常:0x80070005 (E_ACCESSDENIED))在 Microsoft.GroupPolicy.IGPMDomain.CreateGPO()
我正在使用 LogonUser API 代码来委托创建:
public Impersonate(ILogManager logManager, IWindowsCredentials windowsCredentials)
{
logManager.WriteDebug("Current User: {0}", WindowsIdentity.GetCurrent().Name);
const int impersonationLevel = LOGON32_LOGON_INTERACTIVE;
if (!RevertToSelf())
throw new ImpersonateException("Impersonation failed to RevertToSelf.");
if (LogonUser(windowsCredentials.Username, windowsCredentials.Domain,
windowsCredentials.Password.ConvertToReadableString(), impersonationLevel,
LOGON32_PROVIDER_DEFAULT, ref _token) != 0)
{
if (DuplicateToken(_token, impersonationLevel, ref _tokenDuplicate) != 0)
{
var tempWindowsIdentity = new WindowsIdentity(_tokenDuplicate);
_impersonationContext = tempWindowsIdentity.Impersonate();
logManager.WriteDebug("Impersonation User: {0}", WindowsIdentity.GetCurrent().Name);
logManager.WriteDebug("Impersonation Level: {0}", tempWindowsIdentity.ImpersonationLevel);
}
else
{
if (_token != IntPtr.Zero)
CloseHandle(_token);
if (_tokenDuplicate != IntPtr.Zero)
CloseHandle(_tokenDuplicate);
throw new ImpersonateException(string.Format("Impersonation failed due to duplicateToken '{0}'.",
windowsCredentials.Username));
}
logManager.WriteDebug("Successfully impersonated: {0}", windowsCredentials.Username);
}
else
{
if (_token != IntPtr.Zero)
CloseHandle(_token);
throw new ImpersonateException(string.Format("Impersonation failed due to LogonUser '{0}'.",
windowsCredentials.Username));
}
}
事实上我打印输出:
2012-02-01 09:58:55 [9] 调试 - 使用 DisplayName 'Test222' 创建新 GPO。
2012-02-01 09:58:55 [9] 调试 - 当前用户:NT AUTHORITY\SYSTEM
2012-02-01 09:58:55 [9] 调试 - 模拟用户:ABC\joebob
2012-02-01 09:58:55 [9] 调试 - 模拟级别:模拟
我觉得我这样做是对的,但也许你不能通过授权创建 GPO,但我找不到支持这一点的证据。有任何想法吗?