Re: Folder permissions

From: rheller (rheller.1k3sln_at_mail.codecomments.com)
Date: 02/07/05

Next message: Scott Fenstermacher: "Re: Change Computer description in AD at logon"
Previous message: Torgeir Bakken $MVP$: "Re: script at logon"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 7 Feb 2005 14:15:00 -0600

John,

I received this same error when I attempted to write a Perl script to
perform a similar task. I believe that the problem is that the new
user has not been replicated to the necessary domain controller yet.

I fixed my problem by setting the variable Trustee to the SID (Security
Identifier) of the newly created account rather than the domain and user
ID. You can obtain the SID from the account; it is in the "objectSid"
attribute. However, it is in binary format, and you need to convert it
to string format in order to use in on your AccessControlEntry. There
is a Win32 API call that will perform this action named
ConvertSidToStringSid. (It requires Windows 2000.)

Sorry I can't provide you with VB code, but hopefully this will point
you in the right direction.

John Birtwistle wrote:
> *The code below is written in VB6. CONSTANTS are left out.
> jb1 is a Domain Controller running Microsoft Server 2003
> magicsoft is the name of the domain
> testadmin is a user in the default Users container
> If the code is run on the magicsoft server there is no
> problem
> and the access rights of user testadmin for the folder
> TEMP are set correctly.
>
> If The program is run remotely from my laptop running XP
> Pro the error
> Security ID structure is invalid is produced is produced
> by the line
> objADsSecurityUtility.SetSecurityDescriptor File,
> ADS_PATH_FILE, objSD, ADS_SD_FORMAT_IID
>
> If the user-string "magicsoft\testadmin" is altered
> to "testadmin" which is a local user
> on the laptop, the program runs without error and places
> Account Unknown in the TEMP folder's
> security permissions.
>
> I would be grateful for any help with getting this to work.
> Thanks in anticipation
>
> John Birtwistle
>
>
> Private Sub Command1_Click()
> AddACEToFile "\\jb1\c$\Temp", "magicsoft\testadmin"
> End Sub
>
> Public Sub AddACEToFile(File As String, Trustee As String)
>
> Dim objAce As AccessControlEntry ' variable for the
> new ACE
> Dim objSD As SecurityDescriptor ' variable for the
> Security Descriptor of the object
> Dim objDacl As AccessControlList ' variable for the
> DACL of the object
> Dim objADsSecurityUtility As ADsSecurityUtility
> ' Create an ADsSecurityUtlity object.
> Set objADsSecurityUtility = CreateObject
> ("ADsSecurityUtility")
> ' Get the Security Descriptor for the given NTFS File
> path.
> Set objSD = objADsSecurityUtility.GetSecurityDescriptor
> (File, ADS_PATH_FILE, ADS_SD_FORMAT_IID)
> ' Get the Discrectionary ACL for the key.
> Set objDacl = objSD.DiscretionaryAcl
> ' Create an ACE object.
> Set objAce = CreateObject("AccessControlEntry")
> ' Set the IADsAccessControlEntry::Trustee attribute.
> objAce.Trustee = Trustee
> ' Set the IADsAccessControlEntry::AccessMask attribute.
> objAce.AccessMask = FILE_GENERIC_READ Or _
> FILE_GENERIC_WRITE Or _
> FILE_GENERIC_EXECUTE Or _
> DELETE
> ' Set the IADsAccessControlEntry::AceType attribute.
> objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
> ' Set the IADsAccessControlEntry::AceFlags attribute.
> objAce.AceFlags = OBJECT_INHERIT_ACE Or
> CONTAINER_INHERIT_ACE
> ' Place the ACE on the DACL.
> objDacl.AddAce objAce
> ' Place the DACL back onto the SD.
> objSD.DiscretionaryAcl = objDacl
> ' Place the SD back onto the file.
> 'Next line does not work when run remotely from server
>
> objADsSecurityUtility.SetSecurityDescriptor File,
> ADS_PATH_FILE, objSD, ADS_SD_FORMAT_IID
>
> Set objAce = Nothing
> Set objDacl = Nothing
> Set objSD = Nothing
> Set objADsSecurityUtility = Nothing
> End Sub *

--
rheller
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------

Next message: Scott Fenstermacher: "Re: Change Computer description in AD at logon"
Previous message: Torgeir Bakken $MVP$: "Re: script at logon"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

[TOOL] CacheDump - Recovering Windows Password Cache Entries
... Get your security news from a reliable source. ... CacheDump will create a CacheDump NT Service to get SYSTEM right and make ... A John The ... such as the username size in the first 2 bytes. ...
(Securiteam)
Usernametoken cant beused inweb services that are invoked bywebcl
... This is my Web service Client. ... Dim obj As New LoginForm ... Public Class WseSecurityHelpers ... Microsoft.Web.Services2.Security.SecurityFault: ...
(microsoft.public.dotnet.security)
RE: How to restrict users to see data in a mutiuser environment?
... interested setting up workgroup security. ... ' Gets the userid of the current user. ... Dim Length As Long ... which you open the form you want to filter. ...
(microsoft.public.access.modulesdaovba)
Re: decrypting htpasswd
... >> security and warn others abt their security as well.. ... the hash is in a more secure form *shrug* who knows. ... To answer the original question - generally John the ripper requires the ...
(RedHat)
Re: Security Groups from VPN
... security groups for the user. ... The WinNT provider requires the NetBIOS name of the domain. ... Dim dictionaryGroups ...
(microsoft.public.scripting.vbscript)