From: Stefan Kuhr on
Hello everyone,

we are experiencing strange errors on Vista SP1 boxes in scenarios, that
worked before on Vista RTM, XP, Server03 and W2K: Our program runs as
the interactively logged in user (either a consent admin or
unprivileged) and does a LogonUser (for an interacive logon session) for
a privileged account, say for user "admin". It then impersonates that
user's token and tries to do a write access on resources in the registry
or the file system. Now with Vista SP1 these accesses suddenly fail
under *one* special condition that I will outline below and we get
ERROR_BAD_IMPERSONATION_LEVEL as the last error. In the case of the file
system we protect the files with a DACL where members of a local group
named "OurTrustedUsers" are granted full access and we make the user
"admin" (that we impersonate) a member of this local group. So the
administrative user "admin" should have write access even though we only
get a restricted token from the interactive logon session that LogonUser
gives us on Vista.

Now comes the strange thing: We experience these write access errors
with ERROR_BAD_IMPERSONATION_LEVEL *only* if we grant that particular
privileged user "admin" the right to logon as a *service*. If we remove
the service logon right, write accesses succeed. I simply do not
understand what the right to logon as a service has to do with the
access check that happens if my program impersonates an *interactive*
token. Can anyone explain why that is the case or suggest a workaround?
One workaround could be to introduce a second user that is a member of
the local group "OurTrustedUsers" but who doesn't have the right to
logon as a service. But if possible, we would rather stick with the one
privileged user.

Any help appreciated,

--
Stefan Kuhr