Access denied when checking local group if DC is 2003

From: Craig (anonymous_at_discussions.microsoft.com)
Date: 09/17/04


Date: Fri, 17 Sep 2004 09:58:33 -0700

Hello Hugh,
 
Sounds to me like you have not enabled some Win2003
Server IIS webservices functions and/or properly assign
the proper windows system folder system permissions so
internet visitors are allowed to access/write to the
windows system folder.

These privileges have changed in the Win2003 Server OS
now for the windows system folders.
- IIS_WPG
- IWAM
 
If you would like to correspond further, I have created a
temporary email address you can contact me at and if you
have a need to send image files, they are the only types
that are accept by the mail service.:

HUGH1-CONTACT-CRAIG@GNIS.NET

Sincerely,
 
Craig
 
PS: I do have a couple pieces of software that I sell,
which will remove some future heartaches if you're
interested.

- My-IISBackups: Backup and Restore settings quickly
- My-IIS: Enable any windows system folder as a domain
name record in IIS Quickly. WinServer OS's Version.

>-----Original Message-----
>We have a custom authentication .dll that takes
user/pword/domain and
>authenticates domain membership and THEN checks whether
the user is in a
>domain/global group inside a local group on the web
server.
>The code works fine and never has a problem contacting
the DC and returning
>yay/nay on domain account membership; however, if the DC
is running 2003 OS
>(with mixed or native 2000 AD) the second part of the
call can't return
>anything about membership in the local group when it
queries the local
>machine for groups. The following error occurs:
>"A system error has occurred: 5"
>"The user does not have access to the requested
information."
>
>The web server is win2k and the application is running
as IUSR_<machine>.
>The code impersonates the validated user and then sets a
session cookie to
>allow access to subsequent pages.
>I have tried using a domain account and Integrated auth
and still get the
>same error.
>Also made secpol change on DC to allow anonymous
enumeration of SAM accounts
>to no avail.
>Any ideas??
>
>
>.
>