tag:blogger.com,1999:blog-1812985003737084262.post1347071819041808261..comments2009-03-25T22:36:34.896-04:00bxiahttp://www.blogger.com/profile/13262666423559414651noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1812985003737084262.post-76386287741653686092009-03-25T22:36:00.000-04:002009-03-25T22:36:00.000-04:00For all impersonate functions, such as ImpersonateLoggedOnUser, we might not need to dig into the security descriptors of security objects involved. <BR/><BR/>Per MSDN documentation, <BR/>All impersonate functions,including ImpersonateLoggedOnUser allow the requested impersonation if one of the following is true:<BR/><BR/>* The requested impersonation level of the token is less than SecurityImpersonation, such as SecurityIdentification or SecurityAnonymous.<BR/>* The caller has the SeImpersonatePrivilege privilege.<BR/>* A process (or another process in the caller's logon session) created the token using explicit credentials through LogonUser or LsaLogonUser function.<BR/>* The authenticated identity is same as the caller.<BR/><BR/>We can check whether SeImpersonatePrivilege is enabled in the token of the calling thread.bxiahttp://www.blogger.com/profile/13262666423559414651noreply@blogger.comtag:blogger.com,1999:blog-1812985003737084262.post-53514247113763428012009-03-24T10:29:00.000-04:002009-03-24T10:29:00.000-04:00Process Monitor can also be used to investigate security failures.bxiahttp://www.blogger.com/profile/13262666423559414651noreply@blogger.com