I have 2 Active Directory setups on my lab:
- AD1.local
- AD2.local
Both forests have trust relationship enabled.
I have a resource "X" on AD1 that is only accessible to the "Marketing" group situated within AD1. This resource is shared over the network and accessible through SMB to all the users of the Marketing group within AD1.
I have a computer on AD2 with Administrator Privilege called BossPC.AD2.local.
Our file security software runs on BossPC on AD2.local. Now, BossPC.AD2.local wants to run a routine scan over the resources accessible only to the Marketing group of users in AD1.local.
My approach in writing a C++ Windows API application (to which I am fairly new):
Access the token for a user in the Marketing group in AD1.local through
LogonUser()Gain token privileges for the current calling thread using
ImpersonateLoggedOnUser()Access resource and the relevant attributes using various File APIs like
CreateFile(),GetExtendedAttributes(), etc
Code excerpt:
HANDLE token = NULL;
bool authenticate() {
bool bSuccess{ false };
DWORD logonType{ LOGON32_LOGON_INTERACTIVE };
DWORD logonProvider{ LOGON32_PROVIDER_WINNT50 };
cout << endl<< "Current process token: " << GetCurrentThreadToken() << endl; // Current token
bSuccess = LogonUser(L"administrator",
L"ad2.local",
L"pwd1234$$",
logonType,
logonProvider,
&token);
if (bSuccess) {
cout << endl << "Got token from LogonUser : " << token << endl; // Token from LogonUser
bSuccess = ImpersonateLoggedOnUser(token);
if (!bSuccess) {
wprintf(L"\nImpersonateLoggedOnUser failed with 0x%d", GetLastError());
}
cout << endl << "After impersonation token: " << GetCurrentThreadToken() << endl; // Impersonated token
HANDLE hFile = CreateFile(
L"\\\\resourcedc.ad2.local\\SYSVOL\\",
GENERIC_READ,
FILE_SHARE_READ,
nullptr,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
nullptr
);
if (hFile == INVALID_HANDLE_VALUE) {
cout << endl << "CreateFile failed with 0x" << GetLastError();
}
else {
cout << endl << "CreateFile success: " << hFile;
}
BY_HANDLE_FILE_INFORMATION fileInfo;
if (GetFileInformationByHandle(hFile, &fileInfo)) {
cout << endl << "File information: " << fileInfo.dwFileAttributes;
}
else {
cout << endl << "GetFileInformationByHandle failed with 0x" << GetLastError();
}
}
else {
cout << endl << "LogonUser failed with 0x" << GetLastError();
}
cleanup:
if (token) {
CloseHandle(token);
token = nullptr;
}
return bSuccess;
}
int main()
{
authenticate();
RevertToSelf();
return 0;
}
I keep getting error "0x5" - Access Denied.
My expectation is to get the handle of the resource to start with.
[email protected]is member of Marketing group ? (which at all not exist in ad2.local) if not - why you wait that it got access to file which is only accessible to the Marketing group