Re: DirectorySecurity and ACLs



Yeah, you need 2003 native for protocol transition (S4U). However, perhaps
you could p/invoke the AuthZAccessCheck function?

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631960688c7f653a3d523ed@xxxxxxxxxxxxxxxxxxxxx
Hi,
this overload which uses the Kerberos S4U services works only on Windows
2003 and if your domain is in 2003 functionality mode - this means every
DC must be Windows 2003.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Thanks for the response.

We have a mix of 2000 and 2003 DCs in our forrest. I have tried the
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole() and get
the error "Invalid Function". Any idea how to correct that?

I do realize that the local groups on the remote servers will not be
easily checked, but 98% of our permissions are AD group based, so I
should be mostly ok.

Thanks!

"Henning Krause [MVP]" wrote:

Hello,

thats very difficult to do...especially, if the acl is from another
computer... think of this:

There is an Explicit READ ACL for LocalAdministrators on machine X.
LocalGroupA contains a global group which contains UserA.

If you check that acl from a different computer, you cannot easily
check whether UserA has acces rights on that folder. See
http://blogs.msdn.com/oldnewthing/archive/2006/02/02/523171.aspx for
more information on this topic.

As for the WindowsPrincipal.IsInRole.. with .NET 2.0 and a Windows
2003
Domain, you can use
new WindowsPrincipal(new WindowsIdentity(username)).IsInRole().
See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
for more on this Kereberos S4U Feature.

Greetings,
Henning Krause
"Jaret Langston" <jaret.langston@xxxxxxxxx> wrote in message
news:732FC1CC-F81E-4CBF-B5D8-C19E0ECD806F@xxxxxxxxxxxxxxxx

I want to check the ACL rights on a directory/file and see if an ACL
for a
Group or User is covered by another ACL. The goal is to check the
directory/file ACLs for redundant rule sets. I am using VS2005 and
Framework
2.0 for this code.
For example:

There is an Explicit READ ACL for UserX.
There is an Inherited Change ACL for GroupY.
How do I determine if UserX is covered by the GroupY ACL?
The application is NOT being executed by UserX, so the
WindowsPrincipal.IsInRole is not an option (that I know of).
Thanks for any assistance.

--
Jaret Langston
Amsouth Bank




.