Re: Have a NTAccount, need FileSystem permissions



Hi Dominick,

to get the SID of a user - you simply need to construct a NTAccount object
like

NTAccount acc = new NTAccount("domain\\user");

afterwards you translate to a SID:

SecurityIdentifier sid = (SecurityIdentifier)acc.Translate(typeof(NTAccount));

you get the SID now using:

sid.Value;

thats the equivalent of user.User.IdentityReference.

In some respect you are right, but the problem is that starting from a
NTAccount object I don't know whether this is a group or an personal
account. It was only possible using instances of WindowsIdentity where
I got the User.IdentityReference property as a bonus, so I can safe
myself that few lines of code (perfomance is not a key factor here).


This eliminates the nees for the NegotiateStream handshake.


No, it doesn't, since I need to know which groups a personal NTAccount
belongs to, to actually check the access rights for group membership as
well.

The more I look into it the less I like the .NET 2.0 changes of the
namespaces System.Security.Principal and System.Security.AccessControl.
There are lots of examples how to change a access/audit rules, but
surprisingly(!) there are none to check these rules. Furthermore the
object model is unbalanced, e.g. the rights enumerations don't have a
common interface/class. Just a random frustration rant - please ignore.

If OO would have been applied correctly, I should be able to implement
such a method:
public static bool HasRight (
System.Security.AccessControl.ObjectSecurity object,
System.Security.Principal.IPrincipal principal,
System.Security.AccessControl.AccessRule right );

(Actually something similar should be part of ObjectSecurity)
Let's see what .NET 2.1 brings here :-(

Basically I have to leave managed code and go to unmanaged.

Best regards,
Franz

.