Re: DirectorySecurity and ACLs

Yeah, you need 2003 native for protocol transition (S4U). However, perhaps
you could p/invoke the AuthZAccessCheck function?

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631960688c7f653a3d523ed@xxxxxxxxxxxxxxxxxxxxx
Hi,
this overload which uses the Kerberos S4U services works only on Windows
2003 and if your domain is in 2003 functionality mode - this means every
DC must be Windows 2003.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks for the response.

We have a mix of 2000 and 2003 DCs in our forrest. I have tried the
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole() and get
the error "Invalid Function". Any idea how to correct that?

I do realize that the local groups on the remote servers will not be
easily checked, but 98% of our permissions are AD group based, so I
should be mostly ok.

Thanks!

"Henning Krause [MVP]" wrote:

Hello,

thats very difficult to do...especially, if the acl is from another
computer... think of this:

There is an Explicit READ ACL for LocalAdministrators on machine X.
LocalGroupA contains a global group which contains UserA.

If you check that acl from a different computer, you cannot easily
check whether UserA has acces rights on that folder. See
http://blogs.msdn.com/oldnewthing/archive/2006/02/02/523171.aspx for
more information on this topic.

As for the WindowsPrincipal.IsInRole.. with .NET 2.0 and a Windows
2003
Domain, you can use
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole().
See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
for more on this Kereberos S4U Feature.

Greetings,
Henning Krause
"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message
news:732FC1CC-F81E-4CBF-B5D8-C19E0ECD806F@xxxxxxxxxxxxxxxx

I want to check the ACL rights on a directory/file and see if an ACL
for a
Group or User is covered by another ACL. The goal is to check the
directory/file ACLs for redundant rule sets. I am using VS2005 and
Framework
2.0 for this code.
For example:

There is an Explicit READ ACL for UserX.
There is an Inherited Change ACL for GroupY.
How do I determine if UserX is covered by the GroupY ACL?
The application is NOT being executed by UserX, so the
WindowsPrincipal.IsInRole is not an option (that I know of).
Thanks for any assistance.

--
Jaret Langston
Amsouth Bank




.

Relevant Pages

  • Re: DirectorySecurity and ACLs
    ... I'm not sure but I believe you must be at Windows 2000 Domain functional ... There is an Explicit READ ACL for LocalAdministrators on machine X. ... How do I determine if UserX is covered by the GroupY ACL? ...
    (microsoft.public.dotnet.security)
  • Re: DirectorySecurity and ACLs
    ... this overload which uses the Kerberos S4U services works only on Windows 2003 and if your domain is in 2003 functionality mode - this means every DC must be Windows 2003. ... There is an Explicit READ ACL for LocalAdministrators on machine X. ... How do I determine if UserX is covered by the GroupY ACL? ...
    (microsoft.public.dotnet.security)
  • Re: DirectorySecurity and ACLs
    ... I do know that the Authz APIs are designed for doing this kind of ACL ... DC must be Windows 2003. ... LocalGroupA contains a global group which contains UserA. ... How do I determine if UserX is covered by the GroupY ACL? ...
    (microsoft.public.dotnet.security)
  • Re: DirectorySecurity and ACLs
    ... I have not done the p/invoke the AuthZAccessCheck function before. ... Jaret Langston ... There is an Explicit READ ACL for LocalAdministrators on machine X. ...
    (microsoft.public.dotnet.security)
  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
    (microsoft.public.windows.server.security)