0

I'm trying to write an application that will create and admin account and downgrade the current account from admin to guest. Is this possible and how would I go about achieving this?

DirectoryEntry AD = new DirectoryEntry("WinNT://" +
                                Environment.MachineName + ",computer");
var currentUserName = Environment.UserName;
var currentUser = AD.Children.Find(currentUserName, "user");
var adminGroup = AD.Children.Find("Administrators", "group");
var guestGroup = AD.Children.Find("Guests", "group");

guestGroup.Invoke("Add", new object[] { currentUser.Path });
adminGroup.Invoke("Remove", new object[] { currentUser.Path });

This is what I currently have. It doesn't throw any exceptions but when I check my account it remains an admin account. What am I doing wrong?

Also, since I am doing this inside of a WindowsSandbox, where it ultimately is supposed to be deployed, there is no way for me to reboot without losing the account. Is there a way to refresh without rebooting the whole system(if that is the actual problem)?

AsPas
  • 359
  • 5
  • 22
  • *"it remains an admin account"* - How are you determining that? – Gabriel Luci Jun 26 '20 at 16:26
  • Logout/login is necessary to refresh your token, reboot is not. – Ben Voigt Jun 26 '20 at 17:24
  • https://serverfault.com/a/336256/28549 – Ben Voigt Jun 26 '20 at 17:26
  • https://superuser.com/q/1469049/29943 – Ben Voigt Jun 26 '20 at 17:29
  • @GabrielLuci I am checking my account under system settings>>Manager your accounts. I can see the new account as expected, but the current account is still an admin account. – AsPas Jun 26 '20 at 20:41
  • @BenVoigt Thank your for the useful links. They pretty much hit the nail on the head. Is there no way (winapi/Pinvoke magic) to reissue the token mid-session? – AsPas Jun 26 '20 at 20:51
  • AsPas: Well, the list in *Manage your accounts* should have changed. But you won't experience the reduced privileges until the next time you login. You can get a new token issued but you can't make already-running programs use it, you can only launch new programs under the new token (as already explained in those links). – Ben Voigt Jun 26 '20 at 20:55
  • @BenVoigt Suppose I do the following: Perform the privilage escalation. Run a background service as admin Reissue the token. Will I be able, as the current user, to terminate the background service? In theory this shouldn't be possible, as for the session created for the service I already have the reduced privilege token, right? Also, what would be the best way to reissue the token? Thanks for the help! – AsPas Jun 26 '20 at 21:00
  • https://stackoverflow.com/q/4404228/103167 – Ben Voigt Jun 26 '20 at 21:05

0 Answers0