Writing DACL only with SetSecurityDescriptorSddlForm
- From: "Jan Nielsen" <janielsen@xxxxxxxxxxxxx>
- Date: Tue, 23 Sep 2008 21:32:01 +0200
In a C# .Net web page I'm displaying some information from our AD.
Furthermore I have a method allowing replacing a SID in an ACL of a user, group or computer object.
I use the managedBy attribute a lot, but when this manager resigns, I must set a new user, and I prefer to give whatever rights the previous manager had to the newly designated one.
I have my code working, but only when the calling user is an administrator. Having the right to change permissions (write DACL) is not sufficient.
Here's what I do (simplified):
objAccount is a DirectoryEntry object representing ex. a group or computer.
string strSDDL = objAccount.ObjectSecurity.GetSecurityDescriptorSddlForm(System.Security.AccessControl.AccessControlSections.Access);
// Search for old SID, replace with new one
....
objAccount.ObjectSecurity.SetSecurityDescriptorSddlForm(strSDDL, System.Security.AccessControl.AccessControlSections.Access)
objAccount.InvokeSet("managedBy", objNewResp.Properties["distinguishedName"].Value.ToString());
objAccount.CommitChanges();
This succeeds if called by an admin, but throws an exception saying "A constraint violation occurred. (Exception from HRESULT: 0x8007202F)", if the calling user is not an admin, even if account operator.
I've found KB323749, and it sounds reasonable the problem is the function trying to set the owner in the SD as well, even though I specify the second argument on the SetSecurityDescriptorSddlForm method. To me this seems like an error in the .Net framework, or am I mistaken???
The AccessControlSections.Access value ought to specify DACL only, according to the documentation.
To verify this is really the problem, I tried to implement the method suggested in the mentioned article.
The following two lines somewhat solves the problem:
ActiveDs.IADsObjectOptions options = (ActiveDs.IADsObjectOptions)objAccount.NativeObject;
options.SetOption((int)ActiveDs.ADS_OPTION_ENUM.ADS_OPTION_SECURITY_MASK, ActiveDs.ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL);
And as such proves the owner to be the problem. However, apparently this is a global setting. As another part of my web page reads a SD and among others passes it to the API function AccessCheckByTypeResultList. This suddently starts to fail, and it reports the SD is not valid (error code: 1338). I can set the option back to include all aspects of the SD, but it would just be a matter of time until two users clicks at the same time, and one of the calls fail. I'd rather not want to implement a semaphore in a web page.
I'm wondering why the second argument on ObjectSecurity.SetSecurityDescriptorSddlForm doesn't have an effect.
Do I need a patch to fix this???
Thanks in advance,
Jan
.
- Follow-Ups:
- Re: Writing DACL only with SetSecurityDescriptorSddlForm
- From: Mark Rae [MVP]
- Re: Writing DACL only with SetSecurityDescriptorSddlForm
- Prev by Date: Re: In the code behind: how to add a background attribute to the body tag.
- Next by Date: how to add css to acordion HeaderTemplate
- Previous by thread: Event source
- Next by thread: Re: Writing DACL only with SetSecurityDescriptorSddlForm
- Index(es):
Relevant Pages
|
