LsaAddAccountRights() only works once per boot

Question

Using C# 4.5, and I'm using this code to PInvoke the Win32 API in order to give an AD domain user the SeServiceLogonRight right on the local machine:

http://www.codeproject.com/Articles/4863/LSA-Functions-Privileges-and-Impersonation

long res = LsaAddAccountRights(policyHandle, sid, userRights, 1);

But with an unusual circumstance. The code works fine the first time it is run and I am able to start a Windows service with the account. Then, for testing purposes, I delete the account from AD. Then I recreate the account with the same account name, and run the code again. The code still runs successfully and gives no error and appears to grant the new user the SeServiceLogonRight, however, when I then attempt to start a Windows Service with that user account, I am informed that the user has not been granted the SeServiceLogonRight on this computer.

Rebooting the computer fixes the issue, but I would rather not have to reboot the computer in order to complete the procedure.

Answer 1

For testing scenarios you should perhaps set the LsaLookupCacheMaxSize to 0. See KB946358 for a similar issue to yours (and the solution):

The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.

The behavior is by design.

I suspect your test resolves the wrong SID on subsequent runs, after the account is recycled in the AD.