Re: Determine if IdentityReference is a Security Group

Hi Joe,

Thanks for the reply.

against the SIDs in the ACL. Depending on what matches,
the allow or deny is calculated.
Correct. But, a User Allow is placed before a Group Deny. For example,
suppose I have a DACL which allows user John Doe, but denies John Doe
Group. John would have access because the user allow is placed before
the group deny. Hence the need to differentiates between the ACEs.

backup operators can read files that they may not
actually be granted access to read by the DACL.
I'm going to punt on this in the program.

What I need to do is procees a lot of data over the network. So I
want to use the above as a sanity check. This way, the program does
not get 10 minutes in and catch an exception which could have been
determined early. My thinking is, why waste everyone's time with a
basic mistake? I don't like it when I use a program and it happens to
me.

Jeff

On Dec 27, 11:58 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I think there is a p/invoke you can use to get the type of the SID, but why
would you need to do this?  Normally, when this type of comparison is being
made, you create a "token" for the user that contains their SID, the
expanded list of group SIDs and all of the other built-in SIDs (like
authenticated users and such) and compare those against the SIDs in the ACL.
Depending on what matches, the allow or deny is calculated.  You don't
actually need to know what the type of the SID is to perform the match.

Also note that OS permissions are more complex than just the ACEs in the
DACL, as OS level privileges are also taken into account by the OS.  For
example, backup operators can read files that they may not actually be
granted access to read by the DACL.  I don't know whether you need to
consider that or not, but that is an important part of the OS authorization
logic.  That is one of the primary reasons why people (like me) generally
recommend that you don't try to implement this logic yourself.  :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"Jeffrey Walton" <noloa...@xxxxxxxxx> wrote in message

news:b22f5d3a-fae9-49e8-be84-c78af6b84873@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[SNIP]
.

Relevant Pages

  • Access Token with conflicting SIDs
    ... My application is running on an Administrator group account. ... DACL so that I would be able to restore the key to it's secured state ... Anyone have any thoughts on how to clear out all the SIDs in my access ...
    (microsoft.public.platformsdk.security)
  • Resolving SIDs to user names
    ... Usually when I open the security tab of a file or folder the SIDs ... XP client from Domain B, a DC for Domain B next to it ... from Domain B to the DACL, ... file server deliver the SIDs or the names to the client? ...
    (microsoft.public.windows.server.active_directory)