ValidateUser instead of LogonUser?

Question

We're trying to "lock down" a computer such that we have a generic login account for Windows XP that has very few permissions. Our software is then launched via a launcher that runs it as more privileged user, allowing it to access the file system.

Then, an operator will login to our software and we were hoping to authenticate their credentials by using the win32 LogonUser() function.

The problem that we're seeing though, is that we want to set the software operators with a "Deny logon locally" group policy but setting this prevents the LogonUser() function from working.

I understand that we could work around this by passing LOGON32_LOGON_NETWORK instead of LOGON32_LOGON_NETWORK to LogonUser() but I didn't really want to do as it creates other problems. Instead, I was wondering if there is anything like C#'s ValidateUser() function in C++?

(Btw we're compiling with VS2003 if that's relevant)

Answer 1

If you want more control over the login process, you can replace the built-in login with your own, using a Gina dll. Writing your own will probably mean more work then just finding the right arguments for some API calls, but if you're looking for full customization, this might be the solution for you.

Answer 2

You could validate a set of credentials by using the WNetAddConnection2 API to establish a connection to a share. You could connect to \\YOURDC\IPC$ or maybe something else.

Once you have verified the credentials don't forget to free the connection.