Re: DirectorySecurity and ACLs


this overload which uses the Kerberos S4U services works only on Windows 2003 and if your domain is in 2003 functionality mode - this means every DC must be Windows 2003.

Dominick Baier - DevelopMentor

Thanks for the response.

We have a mix of 2000 and 2003 DCs in our forrest. I have tried the
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole() and get
the error "Invalid Function". Any idea how to correct that?

I do realize that the local groups on the remote servers will not be
easily checked, but 98% of our permissions are AD group based, so I
should be mostly ok.


"Henning Krause [MVP]" wrote:


thats very difficult to do...especially, if the acl is from another
computer... think of this:

There is an Explicit READ ACL for LocalAdministrators on machine X.
LocalGroupA contains a global group which contains UserA.

If you check that acl from a different computer, you cannot easily
check whether UserA has acces rights on that folder. See for
more information on this topic.

As for the WindowsPrincipal.IsInRole.. with .NET 2.0 and a Windows
Domain, you can use
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole().
for more on this Kereberos S4U Feature.

Henning Krause
"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message

I want to check the ACL rights on a directory/file and see if an ACL
for a
Group or User is covered by another ACL. The goal is to check the
directory/file ACLs for redundant rule sets. I am using VS2005 and
2.0 for this code.
For example:

There is an Explicit READ ACL for UserX.
There is an Inherited Change ACL for GroupY.
How do I determine if UserX is covered by the GroupY ACL?
The application is NOT being executed by UserX, so the
WindowsPrincipal.IsInRole is not an option (that I know of).
Thanks for any assistance.

Jaret Langston
Amsouth Bank


Relevant Pages

  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
  • Re: DirectorySecurity and ACLs
    ... I'm not sure but I believe you must be at Windows 2000 Domain functional ... There is an Explicit READ ACL for LocalAdministrators on machine X. ... How do I determine if UserX is covered by the GroupY ACL? ...
  • Re: Newbie security programming questions
    ... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
  • Re: Pricing ACL / 2 royalties?
    ... > YOu could price your Allegro Lisp application as, ... If my company sells product X, built with ACL then a customer Z who buy ... X would have to pay: ... > $500 for Windows XX + Adobe ...
  • Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
    ... > When you manually specify all of the ACL flags, it seems to work as though ... >> Do you only support english versions of Windows? ... > specify it in a template. ... I'd also rip off USB connectors. ...