Re: Renewing Kerberos ticket

From: Amihai Bareket (amihai73_at_hotmail.com)
Date: 03/01/05 

Date: Tue, 1 Mar 2005 08:41:55 +0200

Just to clerify -
Regular users don't run this script.

We use it to build new organizational units in AD.
Each OU we create is followed by a creation of several security groups and
then a several folders which the new groups have permissions to.
The script adds the "Domain Admin" group to one of the newly created
security groups, then I need to set ACL on the new folder only for the new
group.

Can you think of another way of doing this?

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eB6hNciHFHA.560@TK2MSFTNGP12.phx.gbl...
> The account must log off and back on.
> There is no other way. Refreshing a ticket does not
> refresh the user token that is in use. Only getting a
> new TGT through login authentication does that.
>
> However, there is something that does not make sense in
> what you have said.
> The user runs a script that creates a group and adds themselves
> to the group. The script then attempts to alter an ACL but are
> denied due to permissions. You say that if their user token
> were refreshed to see the new group and their membership in
> it then they would not be denied. I do not see how that is so,
> but do see how that seems impossible.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Amihai Bareket" <amihai73@hotmail.com> wrote in message
> news:eQGERJiHFHA.3076@tk2msftngp13.phx.gbl...
>> I'm working with a script that's creating new AD Security groups and
>> changing their membership.
>> The user that runs the script is added as a member of the new groups.
>> Once the groups are created I need the script to create folders and set
> ACL
>> on these folders using the new groups.
>> Because the groups are newly created, the information that indicates that
>> the logged in user (the one that's running the script) is a member of the
>> new groups is not included in the Kerberos ticket he's been granted on
>> logon.
>> The permission change on the file system fails because of this with an
>> access denied message (makes sense...). I'm using XCACLS to set the
>> permissions on the new folders.
>>
>> Is there a way to request a renewal to a user's Kerberos ticket from a
>> script or batch so that he will receive a new or renewed ticket with the
> new
>> group information?
>>
>>
>>
>
>

Relevant Pages

  • Re: CLean out all users Temp Dir Folder
    ... I've built the script you need with ScriptAhead a tool we have just ... ' Get Folders that match the following criteria: ... Sub AppendCollectionToArray ... GetSubFolders strFolderName ...
    (microsoft.public.windows.server.scripting)
  • RE: Deleting 1 folder across multiple Mailboxes
    ... I too am looking to delete about 30 folders that came over from a linux ... are over 200 mailboxes that is a whole lot of click delete click delete. ... I found this script, but it seems to only work on Exchange 2000. ... Dim objCommand, objConnection, strBase, strFilter, strAttributes ...
    (microsoft.public.exchange.admin)
  • Re: Need help for a new scripter
    ... been tasked with comming up with a script that will allow me to move ... folders from the profile into it. ... Dim sUserProfile, sBUPath ... sPath & "\quicklaunch", OverWriteFiles ...
    (microsoft.public.scripting.vbscript)
  • Re: Script for Folder View Customization - Beta
    ... but vbcsript's capabilities are equal to or better than our ... Should be no problem for folders such as "c:\docs & ... the file system object, SAPI.SpFileStream, SAPI.Voice, etc. ... I also wrote a script that recurses a folder hierarchy and calls SAPI5 ...
    (microsoft.public.scripting.vbscript)
  • Re: Deny _WRITE_ access to a file
    ... First of all, regarding LOGON SCRIPT, the mistake is mine: ... and folders they don't ... "Everyone", so even if "RestrictedG" has only READ acces, as they are ...
    (microsoft.public.windows.server.security)