English 中文(简体)
Creating roaming user profiles programmatically on Windows 2008
原标题:

Problem:

Logon and load profile via LoadUserProfile API for a roaming user is not creating proper profile. This only happens under Windows 2008 (UAC off and on). Login using standard windows logon works correctly and same code works correctly on Windows 2003.

Logs:

  1. http://drop.io/6t2b3f3 ETL of user profile service created via command: logman -start profile -p {eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98} 255 3 –ets The file needs to be analyzed by someone with access to the source and hopefully that will shed some light on why the profile is always loading as temporary.

Environment:

  1. Windows 2008 mode domain/forest
  2. Server fs001 - Windows 2008 Standard SP2 x86 box
  3. File share on fs001 "Share" with Everyone+SYSTEM having full control on share and ntfs.

To reproduce:

  1. Create domain user tuser1 with roaming profile set to fs001Share user1profile
  2. Run this program as any domain admin and local admin account on fs001 (if UAC is on run as administrator), a temporary user profile is loaded in c:users emp* rather than c:users user1

The ETL is probably the best way to go here and will be provide the quickest diagnosis. Procmon of user profile service svchost instance and tracing logon on the system level did not reveal too much about what s going wrong (I can provide more info if necessary but it s a dead end). userenv.log on Windows 2003 would have helped but ETL can only be analyzed by someone at MSFT.

Any ideas?

Thanks, Alex

using System;
using System.ComponentModel;
using System.Runtime.InteropServices;

namespace consoleLogon {
  class Program {
    #region Helpers for setting privilegies functionality
    [StructLayout(LayoutKind.Sequential, Pack = 4)]
    public struct LUID_AND_ATTRIBUTES {
        public long Luid;
        public int Attributes;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 4)]
    public struct TOKEN_PRIVILEGES {
        public int PrivilegeCount;
        public LUID_AND_ATTRIBUTES Privileges;
    }

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool AdjustTokenPrivileges(
        IntPtr TokenHandle,
        bool DisableAllPrivileges,
        ref TOKEN_PRIVILEGES NewState,
        int BufferLength,
        IntPtr PreviousState,
        IntPtr ReturnLength
        );

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LookupPrivilegeValue(
        string lpSystemName,
        string lpName,
        ref long lpLuid
        );

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool OpenProcessToken(
        IntPtr ProcessHandle,
        int DesiredAccess,
        ref IntPtr TokenHandle
        );

    public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
    public const int TOKEN_QUERY = 0x00000008;
    public const int TOKEN_DUPLICATE = 0x00000002;
    public const int TOKEN_IMPERSONATE = 0x00000004;
    public const int SE_PRIVILEGE_ENABLED = 0x00000002;
    public const string SE_RESTORE_NAME = "SeRestorePrivilege";
    public const string SE_BACKUP_NAME = "SeBackupPrivilege";

    [DllImport("advapi32.dll", SetLastError = true)]
    static public extern bool LogonUser(String lpszUsername, String lpszDomain,
        String lpszPassword,
        int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

    [DllImport("Userenv.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true, CharSet = CharSet.Auto)]
    public static extern bool LoadUserProfile(
        IntPtr hToken,               // user token
        ref PROFILEINFO lpProfileInfo  // profile
        );

    [DllImport("Userenv.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true, CharSet = CharSet.Auto)]
    public static extern bool UnloadUserProfile(
        IntPtr hToken,   // user token
        IntPtr hProfile  // handle to registry key
        );

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    private extern static bool DuplicateToken(
        IntPtr ExistingTokenHandle,
        int SECURITY_IMPERSONATION_LEVEL,
        ref IntPtr DuplicateTokenHandle
        );


    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
    public struct PROFILEINFO {
        public static readonly int SizeOf = Marshal.SizeOf(typeof(PROFILEINFO));

        public int dwSize;                 // Set to sizeof(PROFILEINFO) before calling
        public int dwFlags;                // See PI_ flags defined in userenv.h
        public string lpUserName;          // User name (required)
        public string lpProfilePath;       // Roaming profile path (optional, can be NULL)
        public string lpDefaultPath;       // Default user profile path (optional, can be NULL)
        public string lpServerName;        // Validating domain controller name in netbios format (optional, can be NULL but group NT4 style policy won t be applied)
        public string lpPolicyPath;        // Path to the NT4 style policy file (optional, can be NULL)
        public IntPtr hProfile;            // Filled in by the function.  Registry key handle open to the root.
    }
    #endregion

    static void Main(string[] args) {
        string domain = "dev1";
        string userName = "tuser1";
        string password = "asd!234";
        string profilePath = @"\fs001TestProfiles	user9profile";

        bool retVal = false;
        IntPtr primaryToken = IntPtr.Zero;
        IntPtr dupeToken = IntPtr.Zero;
        PROFILEINFO profileInfo = new PROFILEINFO();
        try {
            // Add RESTORE AND BACUP privileges to process primary token, this is needed for LoadUserProfile function
            IntPtr processToken = IntPtr.Zero;

            OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref processToken);

            long luidRestore = 0;
            long luidBackup = 0;
            retVal = LookupPrivilegeValue(null, SE_RESTORE_NAME, ref luidRestore);
            retVal = LookupPrivilegeValue(null, SE_BACKUP_NAME, ref luidBackup);

            TOKEN_PRIVILEGES tpRestore = new TOKEN_PRIVILEGES();
            TOKEN_PRIVILEGES tpBackup = new TOKEN_PRIVILEGES();

            tpRestore.PrivilegeCount = 1;
            tpRestore.Privileges = new LUID_AND_ATTRIBUTES();
            tpRestore.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
            tpRestore.Privileges.Luid = luidRestore;

            tpBackup.PrivilegeCount = 1;
            tpBackup.Privileges = new LUID_AND_ATTRIBUTES();
            tpBackup.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
            tpBackup.Privileges.Luid = luidBackup;

            retVal = AdjustTokenPrivileges(processToken, false, ref tpRestore, 0, IntPtr.Zero, IntPtr.Zero);
            if (false == retVal) {
                throw new Win32Exception();
            }
            retVal = AdjustTokenPrivileges(processToken, false, ref tpBackup, 0, IntPtr.Zero, IntPtr.Zero);
            if (false == retVal) {
                throw new Win32Exception();
            }

            // Logon as user + password in clear text for sake of simple sample (protocol transitioning is better).
            retVal = LogonUser(userName, domain, password, 3 /* LOGON32_LOGON_NETWORK */, 0 /*LOGON32_PROVIDER_DEFAULT */, ref primaryToken);
            if (false == retVal) {
                throw new Win32Exception();
            }

            // Duplicate primary token.
            // LoadUserProfile needs a token with TOKEN_IMPERSONATE and TOKEN_DUPLICATE access flags.
            retVal = DuplicateToken(primaryToken, 2 /* securityimpersonation */, ref dupeToken);
            if (false == retVal) {
                throw new Win32Exception();
            }

            // Load user profile for roaming profile
            profileInfo.dwSize = PROFILEINFO.SizeOf;
            profileInfo.lpUserName = domain + @"" + userName;
            profileInfo.lpProfilePath = profilePath;

            Console.WriteLine("UserName: {0}", profileInfo.lpUserName);
            Console.WriteLine("ProfilePath: {0}", profileInfo.lpProfilePath);

            retVal = LoadUserProfile(dupeToken, ref profileInfo);
            if (false == retVal) {
                throw new Win32Exception();
            }

            // What should happen
            // 1.  Local new profile in c:users	user1.dev1 folder with copy from default.
            // 2.  Valid user registry hive ntuser.dat
            // 3.  Loaded profile session entry in the registry entry
            //     HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileListSID of tuser1
            //     State bit mask should have new local profile (x004), new central profile (x008), 
            //     update the central profile (0010).
            //
            //       "State"=dword:0000021c
            //       "CentralProfile"="\fs001Share	user1profile.V2"
            //       "ProfileImagePath"="C:Users	user1"
            //
            //     See http://technet.microsoft.com/en-us/library/cc775560(WS.10).aspx fpr more info
            //     Roaming Profile - New User section.
            // 
            // What actually happens:
            // 1.  Temp profile is loaded in c:users	emp
            // 2.  Registry entry ProfieList/SID is showing temporary profile
            //       "State"=dword:00000a04
            //       "CentralProfile"="\fs001Share	user1profile.V2"
            //       "ProfileImagePath"="C:UsersTEMP"

            Console.WriteLine("Profile loaded, hit enter to unload profile");
            Console.ReadLine();
        }
        catch (Exception e) {
            Console.WriteLine(e.ToString());
            Console.ReadLine();
        }
        finally {
            // Unload profile properly.
            if (IntPtr.Zero != dupeToken) {
                retVal = UnloadUserProfile(dupeToken, profileInfo.hProfile);
                if (false == retVal) {
                    throw new Win32Exception();
                }
            }
        }
    }
}

}

问题回答

I have been chasing the same problem for months and finally have an answer. I have not seen this answer anywhere else on the Internet. It removes 5 to 10 seconds from the processing of LoadUserProfile as well. These comments only apply for situations where roaming profiles are used.

The lpUserName field in PROFILEINFO is used for more than active directory user verification in Windows 2008 R2 at least. It is used to build the roaming profile path and the local profile path. If lpUserName contains the domain name (mydomainmyusername) then the path used contains this. But if you change lpUserName to exclude the domain, the LoadUserProfile call will fail.

However, if you use just the user name in lpUserName and provide the NetBIOS domain name in lpServerName it works. The NetBIOS name is normally the highest level of the domain name (mydomain.parent.com, for example, the name is mydomain), padded or trimmed to 15 characters plus hex 1B (u001B in C# strings) in the 16th character.

You can see the problem yourself in the CentralProfile string in HKLMSoftwareMicrosoftWindows NTCurrentVersionProfileList{sid}. CentralProfile is only present when you attempt to use LoadUserProfile for roaming profiles.





相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

NSArray s, Primitive types and Boxing Oh My!

I m pretty new to the Objective-C world and I have a long history with .net/C# so naturally I m inclined to use my C# wits. Now here s the question: I feel really inclined to create some type of ...

C# Marshal / Pinvoke CBitmap?

I cannot figure out how to marshal a C++ CBitmap to a C# Bitmap or Image class. My import looks like this: [DllImport(@"test.dll", CharSet = CharSet.Unicode)] public static extern IntPtr ...

How to Use Ghostscript DLL to convert PDF to PDF/A

How to user GhostScript DLL to convert PDF to PDF/A. I know I kind of have to call the exported function of gsdll32.dll whose name is gsapi_init_with_args, but how do i pass the right arguments? BTW, ...

Linqy no matchy

Maybe it s something I m doing wrong. I m just learning Linq because I m bored. And so far so good. I made a little program and it basically just outputs all matches (foreach) into a label control. ...

热门标签