How Add user into “Access to this computer from the network” Local Policy by adding a registry key?

Question

Do you have any idea how can I add a user in Local policies? I need same effect like this

gpedit.msc -> Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / "Access this computer from the network"

I would like to do that by adding a registry key or by running a command from cmd. If you have any hint or internet resource to share, I would be happy.

Thanks.

Answer 1

Here's one I prepared earlier. We use the (lengthy, sorry) wrapper class below to grant "Logon as a service right". The call for this is as follows:

var identity = new WindowsIdentity(logonName);
LsaSecurityWrapper.AddAccountRights(identity.User.AccountDomainSid,
    "SeServiceLogonRight");

You would just need to replace "SeServiceLogonRight" with your own. A quick Google tells me this should be "SeNetworkLogonRight". If you want this in a console app, then you can quickly compile one. Set your Main method like so:

static void Main(string[] args)
{
    var identity = new WindowsIdentity(args[0]);
    LsaSecurityWrapper.AddAccountRights(identity.User.AccountDomainSid, args[1]);
}

Then call as YourConsoleApp.exe logon right. Here's the wrapper:

[StructLayout(LayoutKind.Sequential)]
internal struct LSA_OBJECT_ATTRIBUTES
{
    internal int Length;
    internal IntPtr RootDirectory;
    internal IntPtr ObjectName;
    internal int Attributes;
    internal IntPtr SecurityDescriptor;
    internal IntPtr SecurityQualityOfService;
}

/// 
/// LSA_UNICODE_STRING structure
/// 
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct LSA_UNICODE_STRING
{
    internal ushort Length;
    internal ushort MaximumLength;
    [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer;
}

/// 
/// Wraps LsaAddAccountRights call.
/// 
public sealed class LsaSecurityWrapper
{
    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaOpenPolicy(
        LSA_UNICODE_STRING[] SystemName,
        ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
        int AccessMask,
        out IntPtr PolicyHandle
        );

    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaAddAccountRights(
        LSA_HANDLE PolicyHandle,
        IntPtr pSID,
        LSA_UNICODE_STRING[] UserRights,
        int CountOfRights
        );

    [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
     SuppressUnmanagedCodeSecurityAttribute]
    internal static extern uint LsaRemoveAccountRights(
        LSA_HANDLE PolicyHandle,
        IntPtr AccountSid,
        bool AllRights,
        LSA_UNICODE_STRING[] UserRights,
        int CountOfRights
        );

    [DllImport("advapi32")]
    internal static extern int LsaClose(IntPtr PolicyHandle);

    private enum Access : int
    {
        POLICY_READ = 0x20006,
        POLICY_ALL_ACCESS = 0x00F0FFF,
        POLICY_EXECUTE = 0X20801,
        POLICY_WRITE = 0X207F8
    }

    // rights: (http://msdn.microsoft.com/en-us/library/bb545671(VS.85).aspx)
    public static void AddAccountRights(SecurityIdentifier sid, string rights)
    {
        IntPtr lsaHandle;

        LSA_UNICODE_STRING[] system = null;
        LSA_OBJECT_ATTRIBUTES lsaAttr;
        lsaAttr.RootDirectory = IntPtr.Zero;
        lsaAttr.ObjectName = IntPtr.Zero;
        lsaAttr.Attributes = 0;
        lsaAttr.SecurityDescriptor = IntPtr.Zero;
        lsaAttr.SecurityQualityOfService = IntPtr.Zero;
        lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
        lsaHandle = IntPtr.Zero;

        uint ret = LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle);
        if (ret == 0)
        {
            Byte[] buffer = new Byte[sid.BinaryLength];
            sid.GetBinaryForm(buffer, 0);

            IntPtr pSid = Marshal.AllocHGlobal(sid.BinaryLength);
            Marshal.Copy(buffer, 0, pSid, sid.BinaryLength);

            LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];

            LSA_UNICODE_STRING lsaRights = new LSA_UNICODE_STRING();
            lsaRights.Buffer = rights;
            lsaRights.Length = (ushort)(rights.Length * sizeof(char));
            lsaRights.MaximumLength = (ushort)(lsaRights.Length + sizeof(char));

            privileges[0] = lsaRights;

            ret = LsaAddAccountRights(lsaHandle, pSid, privileges, 1);

            LsaClose(lsaHandle);

            Marshal.FreeHGlobal(pSid);

            if (ret != 0)
            {
                throw new Win32Exception("LsaAddAccountRights failed with error code: " + ret);
            }
        }
        else
        {
            throw new Win32Exception("LsaOpenPolicy failed with error code: " + ret);
        }
    }
}