Archive: New plugin - Priviliges
New plugin - Priviliges
I wrote a plugin for NSIS that allows you to retrieve the current account type for the logged user.
It checks for the following rights: Administrator, Users, Guests and Power users.
I needed it for myself and think it may be usable for others as well :D
The package includes the DLL, a sample script and the Delphi source code.
The latest versions can be downloaded from the Download section on my homepage at www.petges.com
Romain
Sounds great! I'll have a look at it later this week.
Correct if I am wrong but if the user is in both Power Users and the Users group wouldn't your DLL decide that he is in the Users group? It breaks the loop before it make sure... You have also freed only the last SID created.
I have created another extension DLL named UserInfo, inspired by your DLL that doesn't have those bugs. It is written in C, so it's smaller. I have also added a function to get the user name.
I have added this DLL to the latest CVS version, because people ask about it all the time.
Thank you for your idea. If you wish I can add a readme saying the original idea was yours.
Originally posted by kichik
Correct if I am wrong but if the user is in both Power Users and the Users group wouldn't your DLL decide that he is in the Users group? It breaks the loop before it make sure... You have also freed only the last SID created.
Sorry for the SID resource release bug ... :(
I'm aware of the problem when a user is member of several groups and I want to change this using the following solution:
Instead of returning a string with a single group I look forward to build a string with all groups, separated by comma:
Example: User, Power.
But how can I check for a substring in NSIS ? For example, it would be great to have a call like StrCmp str1 str2 [jump_if_found] [jump_if_not_found] .... where $0 = User, Power and it jumps to [jump_if_found] if the substring str1 is found in str2.
I have created another extension DLL named UserInfo, inspired by your DLL that doesn't have those bugs. It is written in C, so it's smaller. I have also added a function to get the user name.
I have added this DLL to the latest CVS version, because people ask about it all the time.
Great ! :up:
Thank you for your idea. If you wish I can add a readme saying the original idea was yours.
Not really necessary, but why not ? :)
Well, what I did with UserInfo, is return only the highest type of the user. If the user belongs to the Users and Administrators groups it will return only Admin, same goes for Power Users. AFAIK any user that is not guest belongs to Users anyway so it will be useless to return them all together.
OK, I agree !
Thanks for the rewrote of the plugin in C... it's indeed smaller.
Kickik,
could you please add the UserInfo plugin to the CVS snapshot ZIP's ?
Many thanks !
The snapshot automatically updates at least once a day.
The current snapshot already has the plugin.
Well, Yes and No ;)
In fact, I compile the extracted ZIP file into an installer (using !InstallNSIS.bat) and this one doesn't install the UserInfo plugin DLL and source... I think you forgot to update the makensis.nsi file.
I didn't even check the ZIP archive for the plugin, but it's indeed included.
Romain
It seems this plugin never returns Guests. Windows help says that all Guests users are also members of the Users group, which according to the above explanation may be why Users is returned for Guests users. If this is the case why doesn't the Guest User's properities list Users as one of the groups it is a member of?
To get to my point :).. I need to know if a user is a member of Guests, since any HKCU reg settings are not kept from one session to the next.
Do you reckon it's safe to assume that a user that exists in the Guests group is always a guest or should I compare to DOMAIN_USER_RID_GUEST too?
MSDN states the following:
DOMAIN_GROUP_RID_USERS: A group containing all user accounts in a domain. All users are automatically added to this group.
Probably it would make sense only to to return the "Users" group if this is the only group a user is a member of. For all other cases the logic you have stated above would make sense.. So in the case of a user being member of Guests (and Users by default), "Guests" should be returned.
What I am asking is if a normal user can be in the guests group too. I don't see anything saying that this is impossible. And does a user have to be DOMAIN_USER_RID_GUEST to be a guest or being in the guests group is enough?
From what I understand..
ALL users are members of the Users group by default (including Guests members). So when you say "normal user", I assume you mean a member of the Users group, but not a member of the Guests group. So what I was trying to say above.. A user is only a "normal user" if he is only in the "Users" group and no other. The Guest account is a member of the Guests group (and by default Users).
So I would say a Guest is anyone in the Guests group (and by default Users group), who is not also a member of a group with better than Guests privillages (i.e. only Groups and Users).
By a normal user I mean a user who is not the guest user and according to a little test I have just made a normal user can be in the guests group and not be a guest. Accoring to you:
I need to know if a user is a member of Guests, since any HKCU reg settings are not kept from one session to the next.The user that belonged to the Guests group did keep HKCU changes from one session to the next.
This is my experience on Win2k Pro:
Create User
-----------
From Admin account:
- Control Panel -> Users and Passwords -> Users Tab -> Add
- User Name: User2
- Full Name:
- Description
Next
- Password:
- Confirm Password:
Next (Access level)
- Other -> Guests
Finish
Check that User2 is only member of Guests group
-----------------------------------------------
- Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button
- Click Users in left column
- Click "User2" in right column
- In User2 Properties window click "Member of" tab
"Guests" should be the only group in the list.
Login as User2
--------------
Use regedit to create "MyTestKey" under HKCU\SOFTWARE
Logout
------
Log back in as User2
--------------------
HKCU/SOFTWARE/MyTestKey is gone.
Originally posted by kichikSo what would be the point of having a Guests group (or any group for that matter), if members of this group are only ever recognized as just Users?
By a normal user I mean a user who is not the guest user and according to a little test I have just made a normal user can be in the guests group and not be a guest.
I am talking about an existing user that has been created as one, that is added to the guests gruop. According to my tests he is not really a guest and so checking the group will not work. Don't ask me why it works this way, I didn't create Windows ;)
I am currently testing and trying to figure out how to really check if the user is the guest user.
Originally posted by kichikA User that was created as part of the "Users" group and then later added to the "Guests" group is equivalent to a user that was created as part of the "Guests" group from the beginning.. so we are talking about the same thing.
I am talking about an existing user that has been created as one, that is added to the guests gruop. According to my tests he is not really a guest and so checking the group will not work. Don't ask me why it works this way, I didn't create Windows ;)
I am currently testing and trying to figure out how to really check if the user is the guest user.
Yes, you are right. There are different restrictions on XP. My guest user can write to HKCU and it stays there. So, how can I make sure that a user that's in the guests group is really a guest? I am still a bit sceptic about this because Microsoft documentation says:
DOMAIN_USER_RID_GUEST - The guest-user account in a domain. Users who do not have an account can automatically log on to this account.Looking at this line one can understand there is only one guest user.
Probably for a member of Guests you need to check the windows version to determine whether to return "Guest" or "User", since apparantly on some platforms there is not difference between Guests and Users..
Again, I think you should not be concirned with DOMAIN_USER_RID_GUEST, because this user's permissions are determined by the Guests group. As far as I can tell, the only thing that makes this account unique from other Guests accounts is that it ships with Windows.
Well, I am going to have to trust you on this one because I can't find much on Microsoft documentation and some message boxes that I seemed to have nothing to do with my test user being guest disappeared when I removed him from the guest account.
New version of UserInfo.dll uploaded. Thank you for your help.
Probably for a member of Guests you need to check the windows version to determine whether to return "Guest" or "User", since apparantly on some platforms there is not difference between Guests and Users..Well, a guest is a guest and some weird message boxes disappeared for me so they must have had something with guest user restrictions.
Ok.. I found something at MSDN about this:
Changes to the way Guest profiles are handled
Windows 2000 and Windows NT 4.0 always delete the user profile of users belonging to the local Guests security group when users log off. Windows XP and Windows Server 2003, continue to delete the profile of guest users, only when the computer is joined to a domain. When the computer is part of a workgroup, the user profile of users belonging to the local Guests group is not deleted at logoff.
The exception is when the user is a member of the local Guests group AND a member of local Administrators, in this case the profile is NOT deleted when in a domain.
Here is the link:
http://www.microsoft.com/technet/tre...ate/User01.asp