Hi, On Mon, Feb 20, 2017 at 11:13:49AM -0500, Selva Nair wrote: > > MS documentation for GetTokenInformation() suggests that group membership > > tests should be done with "CheckTokenMembership()", which sounds more > > convenient than "extract them all and walk the list" - so maybe this > > is done to avoid domain controller contact? > > Thanks for the review :) > > CheckTokenMembership() returns true only if the SID is present and enabled. > That means when UAC is active it will not detect that the user is a member > of administrators group as the SID will not be enabled. In other words, our > usage of group membership is somewhat special -- we only care user is a > member of admin or ovpn_admin groups, not that the corresponding rights be > enabled in the token.
Oh, wow.
Thanks for the explanation - indeed, that makes sense :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
