INFO: Need To Call NetUserModalsGet Between Impersonated Net API Sessions (224582)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q224582

SUMMARY

The NetUser, NetGroup, and NetLocalGroup APIs cache a security accounts manager (SAM) context handle to a named server. If you need to call these Net APIs under different impersonation credentials for the named server, then flush that SAM handle between the impersonation sessions. The best way to do this is to call NetUserModalsGet passing NULL as the first parameter. Although only members of the administrators or account operators local group can successfully execute NetUserModalsGet, calling NetUserModalsGet from any user context always flushes the SAM handle regardless of whether the NetUserModalsGet call returns successful.

MORE INFORMATION

The NetUser, NetGroup, and NetLocalGroup APIs are frequently used in custom Windows NT service or Internet Information Server (IIS) in the form of ISAPI DLL or ASP COM object to manage Windows NT domain users and groups. If the Windows NT service, the ISAPI DLL, or the ASP COM object is not already running under the domain administrator or account operator context, the application needs to impersonate a domain administrator or account operator in order to complete the above Net calls successfully.

You can use different administrator or account operator credentials in multiple impersonation sessions to manage Windows NT domain users and groups. If you do not call NetUserModalsGet between the sessions to flush the locally cached SAM context handle, the Net call may fail with error 86 because the new impersonation token does not match the cached SAM context handle. The correct sequence for multiple Net API impersonation sessions is as follows:
loop (admin_no_i) {

   hToken = LogonUser(admin_no_i); 
   ImpersonateLoggedOnUser(hToken, ...);
   NetUserAdd();
   RevertToSelf();	
   CloseHandle(hToken);

   bufptr = NULL;
   dwRtn = NetUserModalsGet(  NULL,    0, &bufptr);
   if (dwRtn == ERROR_SUCCESS && bufptr)	
	NetApiBufferFree(bufptr);
}

Since IIS has already impersonated when calling the ISAPI DLL or the ASP COM object, you don't want to call RevertToSelf. Instead, use the OpenThreadToken, SetThreadToken or ImpersonateLoggedOnUser as described in the following article:

217144 INFO: Difficulties Using Net APIs in ISAPI and ASP COM Objects.

REFERENCES

155601 Understanding SAM Active Contexts Under Windows NT

217144 INFO: Difficulties Using Net APIs in ISAPI and ASP COM Objects

Modification Type:MinorLast Reviewed:2/12/2004
Keywords:kbDSWNET2003Swept kbinfo KB224582
©2004 Microsoft Corporation. All rights reserved.