Re: DirectorySecurity and ACLs



Hello,

I'm not sure but I believe you must be at Windows 2000 Domain functional
level... And tha constructor of the WindowsIdentity class can only be called
from a Windows 2003 Server.

Greetings,
Henning Krause

"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message
news:D5DF1C3C-106B-4C8E-B548-C34F8DBED9F2@xxxxxxxxxxxxxxxx
Thanks for the response.

We have a mix of 2000 and 2003 DCs in our forrest. I have tried the new
WindowsPrincipal(new WindowsIdentity(username)).IsInRole() and get the
error
"Invalid Function". Any idea how to correct that?

I do realize that the local groups on the remote servers will not be
easily
checked, but 98% of our permissions are AD group based, so I should be
mostly
ok.

Thanks!

--
Jaret Langston
Amsouth Bank


"Henning Krause [MVP]" wrote:

Hello,

thats very difficult to do...especially, if the acl is from another
computer... think of this:

There is an Explicit READ ACL for LocalAdministrators on machine X.
LocalGroupA contains a global group which contains UserA.

If you check that acl from a different computer, you cannot easily check
whether UserA has acces rights on that folder. See
http://blogs.msdn.com/oldnewthing/archive/2006/02/02/523171.aspx for more
information on this topic.

As for the WindowsPrincipal.IsInRole.. with .NET 2.0 and a Windows 2003
Domain, you can use
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole().

See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/ for
more
on this Kereberos S4U Feature.

Greetings,
Henning Krause

"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message
news:732FC1CC-F81E-4CBF-B5D8-C19E0ECD806F@xxxxxxxxxxxxxxxx
I want to check the ACL rights on a directory/file and see if an ACL for
a
Group or User is covered by another ACL. The goal is to check the
directory/file ACLs for redundant rule sets. I am using VS2005 and
Framework
2.0 for this code.

For example:

There is an Explicit READ ACL for UserX.
There is an Inherited Change ACL for GroupY.
How do I determine if UserX is covered by the GroupY ACL?
The application is NOT being executed by UserX, so the
WindowsPrincipal.IsInRole is not an option (that I know of).

Thanks for any assistance.

--
Jaret Langston
Amsouth Bank





.



Relevant Pages

  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
    (microsoft.public.windows.server.security)
  • Re: DirectorySecurity and ACLs
    ... this overload which uses the Kerberos S4U services works only on Windows 2003 and if your domain is in 2003 functionality mode - this means every DC must be Windows 2003. ... There is an Explicit READ ACL for LocalAdministrators on machine X. ... How do I determine if UserX is covered by the GroupY ACL? ...
    (microsoft.public.dotnet.security)
  • Re: Newbie security programming questions
    ... > I am trying to get to the GUI described in this page to change the ACL ... > Is GUI ACL viewer not available with all versions of Windows? ... How to disable simplified sharing and set permissions on a shared folder ...
    (microsoft.public.platformsdk.security)
  • Re: Pricing ACL / 2 royalties?
    ... > YOu could price your Allegro Lisp application as, ... If my company sells product X, built with ACL then a customer Z who buy ... X would have to pay: ... > $500 for Windows XX + Adobe ...
    (comp.lang.lisp)
  • Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
    ... > When you manually specify all of the ACL flags, it seems to work as though ... >> Do you only support english versions of Windows? ... > specify it in a template. ... I'd also rip off USB connectors. ...
    (microsoft.public.security)