INFO: Need To Call NetUserModalsGet Between Impersonated Net API Sessions

ID: Q224582

The information in this article applies to:

Microsoft Windows NT, versions 4.0, 5.0

SUMMARY

The NetUser, NetGroup, and NetLocalGroup APIs cache a security accounts manager (SAM) context handle to a named server. If you need to call these Net APIs under different impersonation credentials for the named server, then flush that SAM handle between the impersonation sessions. The best way to do this is to call NetUserModalsGet passing NULL as the first parameter. Although only members of the administrators or account operators local group can successfully execute NetUserModalsGet, calling NetUserModalsGet from any user context always flushes the SAM handle regardless of whether the NetUserModalsGet call returns successful.

MORE INFORMATION

The NetUser, NetGroup, and NetLocalGroup APIs are frequently used in custom Windows NT service or Internet Information Server (IIS) in the form of ISAPI DLL or ASP COM object to manage Windows NT domain users and groups. If the Windows NT service, the ISAPI DLL, or the ASP COM object is not already running under the domain administrator or account operator context, the application needs to impersonate a domain administrator or account operator in order to complete the above Net calls successfully.

You can use different administrator or account operator credentials in multiple impersonation sessions to manage Windows NT domain users and groups. If you do not call NetUserModalsGet between the sessions to flush the locally cached SAM context handle, the Net call may fail with error 86 because the new impersonation token does not match the cached SAM context handle. The correct sequence for multiple Net API impersonation sessions is as follows:


loop (admin_no_i) {

   hToken = LogonUser(admin_no_i); 
   ImpersonateLoggedOnUser(hToken, ...);
   NetUserAdd();
   RevertToSelf();	
   CloseHandle(hToken);

   bufptr = NULL;
   dwRtn = NetUserModalsGet(  NULL,    0, &bufptr);
   if (dwRtn == ERROR_SUCCESS && bufptr)	
	NetApiBufferFree(bufptr);
}

Since IIS has already impersonated when calling the ISAPI DLL or the ASP COM object, you don't want to call RevertToSelf. Instead, use the OpenThreadToken, SetThreadToken or ImpersonateLoggedOnUser as described in the following article:

Q217144 INFO: Difficulties Using Net APIs in ISAPI and ASP COM Objects.

REFERENCES

Q155601 Understanding SAM Active Contexts Under Windows NT

Q217144 INFO: Difficulties Using Net APIs in ISAPI and ASP COM Objects

Additional query words:


Keywords          : kbNetAPI 
Version           : winnt:4.0,5.0
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: April 8, 1999