Re: DirectoryEntry.Invoke access is denied

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/13/05 

Date: Fri, 13 May 2005 16:12:13 -0500

Ok, that makes more sense. I have a couple of questions for you:
 - Are you using Active Directory, an NT4 domain or local machine groups?
 - Is your AD domain 2003 native mode?
 - Is your server Windows 2003?

My sense is that you should really be using the AzMan APIs to be doing what
you are trying to do. Trying to calculate group membership using Directory
Services calls is hard and it is much easier to let Windows do this for you.
There are quite a few options though:
 - If you have 2003 AD and 2003 server to run on, you can use the "S4U"
constructor for WindowsIdentity to create a WindowsIdentity for an arbitary
user. From it, you can create a WindowsPrincipal and call IsInRole on that.
This is very easy and will be reasonably fast if you do some caching.
 - Another option is to use the AzMan APIs to create an AzMan context for
the user and perform authorizations against it. I can't comment on
performance here.
 - If you have AD, you can do a better job looking up groups using LDAP and
the tokenGroups constructed attribute. TokenGroups calculates fully nested
group membership and includes the primary group, which you may need. It
also does not include distribution groups (which Members will).

 If you do have AD, I would suggest staying far away from the WinNT provider
for ADSI/S.DS, especially in ASP.NET scenarios (partly for the problems you
are having now; they are easier to overcome with LDAP).

Joe K.

"Jason" <Jason@discussions.microsoft.com> wrote in message
news:942393E1-ACCA-490C-9B77-02FB76CB9F0D@microsoft.com...
> actually, this wont work.
>
> Scenario is User A is trying to modify a database record
> which has a field which is a userid. This userid is another
> staff's user id and the business rule says to ensure that
> the user id typed in here is in the group. I wont be able
> to create a staff B as a user running under staff A security
> context.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Why not just use Context.User.IsInRole("domain\group name")?
>>
>> It is a lot easier than trying to get your delegation scenario working
>> and
>> much easier than trying to enumerated the users groups (which is much
>> much
>> more complex than the code you show below).
>>
>> Joe K.
>>
>> "Jason" <Jason@discussions.microsoft.com> wrote in message
>> news:8722B18A-802B-4F7F-BA1F-CC841FE7A5C7@microsoft.com...
>> > In an ASP.NET application designed as intranet using Windows
>> > Authentication.
>> >
>> > I am trying to query a PDC group to see if a string matches a user that
>> > is
>> > assigned to the group using the function below. On my development box,
>> > all
>> > is
>> > ok when I access through debug or using the http://localhost. When I
>> > access
>> > this on the deployment server 2003 or on my dev box using the
>> > http://ipaddress I get an
>> > access is denied on the line:
>> > object oRet = de.Invoke("Members") .
>> >
>> > What changes to security do I need to apply? I have an NT group that
>> > limits all the users that can run this.
>> >
>> > TIA, Jason
>> >
>> > private bool UserIdExistsInNT4Group()
>> > {
>> > DirectoryEntry de = new DirectoryEntry();
>> > de.Path = @"WinNT://wfdcptnt1/CMStest,group";
>> > object oRet = de.Invoke("Members");
>> > IEnumerable users = (IEnumerable) oRet;
>> > foreach(object user in users)
>> > {
>> > DirectoryEntry det = new DirectoryEntry(user);
>> > string tuserid = det.Path;
>> > tuserid = tuserid.Replace("WinNT://", "");
>> > tuserid = tuserid.Replace("/", "\\");
>> > _log.Debug(tuserid);
>> > if (tuserid.ToUpper() == this.UserId.ToUpper())
>> > {
>> > return true;
>> > }
>> > }
>> > return false;
>> > }
>>
>>
>>

Relevant Pages

  • Error code 87 - NetUserGetLocalGroups - Windows 2003 Active Directory
    ... Last week our customer upgraded his Windows NT4 domain to a Windows 2003 ... Active Directory using the so called "In-Place Ugrade". ... "NetUserGetLocalGroups" returns error code 87. ... In a NT4 domain environment this problem doesn't occurs. ...
    (microsoft.public.win32.programmer.networks)
  • Re: join Windows2000 AD with Windows 2003 subdomain (during upgrade from NT4)
    ... > currently there is one Windows 2000 based Active Directory and two NT4 ... Now we want to upgrage the NT4 domain and join the ... upgrade the NT4 PDC with ...
    (microsoft.public.win2000.active_directory)
  • join Windows2000 AD with Windows 2003 subdomain (during upgrade from NT4)
    ... Active Directory as a subdomain. ... upgrade the NT4 PDC with the Windows ... Could I join the Windows 2000 based AD with upgrading the NT4 domain to ...
    (microsoft.public.win2000.active_directory)
  • SPS Portal NT4 Active Directory Migration
    ... Our customer currently has SharePoint Portal deployed on a NT4 Domain. ... They are about to start migrate to Windows 2003 Active Directory, ... What ties will the Portal still have to NT4 Domain once on Windows 2003 ...
    (microsoft.public.sharepoint.portalserver)
  • RE: Migrating NT to Win2K3
    ... Windows 2003 cannot be joined to NT domain. ... Scenario 1: ... and bring it online as an Active Directory domain controller. ... Windows Server 2003 domain controller. ...
    (microsoft.public.windows.server.migration)