Re: DirectorySecurity and ACLs


this overload which uses the Kerberos S4U services works only on Windows 2003 and if your domain is in 2003 functionality mode - this means every DC must be Windows 2003.

Dominick Baier - DevelopMentor

Thanks for the response.

We have a mix of 2000 and 2003 DCs in our forrest. I have tried the
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole() and get
the error "Invalid Function". Any idea how to correct that?

I do realize that the local groups on the remote servers will not be
easily checked, but 98% of our permissions are AD group based, so I
should be mostly ok.


"Henning Krause [MVP]" wrote:


thats very difficult to do...especially, if the acl is from another
computer... think of this:

There is an Explicit READ ACL for LocalAdministrators on machine X.
LocalGroupA contains a global group which contains UserA.

If you check that acl from a different computer, you cannot easily
check whether UserA has acces rights on that folder. See for
more information on this topic.

As for the WindowsPrincipal.IsInRole.. with .NET 2.0 and a Windows
Domain, you can use
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole().
for more on this Kereberos S4U Feature.

Henning Krause
"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message

I want to check the ACL rights on a directory/file and see if an ACL
for a
Group or User is covered by another ACL. The goal is to check the
directory/file ACLs for redundant rule sets. I am using VS2005 and
2.0 for this code.
For example:

There is an Explicit READ ACL for UserX.
There is an Inherited Change ACL for GroupY.
How do I determine if UserX is covered by the GroupY ACL?
The application is NOT being executed by UserX, so the
WindowsPrincipal.IsInRole is not an option (that I know of).
Thanks for any assistance.

Jaret Langston
Amsouth Bank