Re: User token created by ADsGetObject

From: Victor I. Zaslavsky (victor_at_zaslavsky.org)
Date: 04/28/04


Date: Wed, 28 Apr 2004 10:36:02 +0200

Hi Rhett,

Thanks for your respond.

I'm in doubt if ADsGetObject uses current token to access the requested
object:

  1. Assume there are two domains: AAA.COM and BBB.COM.
  2. Assume user UUU with the password PPP exists in both domains when in
the domain AAA the user is member of built-in "Domain Administrators" group
("DA") and in the domain BBB it isn't.
  3. Assume there is an object OOO in the domain BBB that only members of
BBB "Domain Administrators" group have access to.
  4. Assume the user is logged in to domain AAA.
  5. What happens when the user tries to open object OOO? Regardless to the
"DA" in the current user token his access to the OOO should be prohibited.

According to written above the within the ADsGetObject API call the user
token in target domain should be created in order to check user permission
to the requested object.

Therefore,
If it is right and the token is created how can I obtain it?
If it is not right and the token is not created how permission check is
performed?

Regards,
Victor.

"Rhett Gong [MSFT]" <v-raygon@online.microsoft.com> wrote in message
news:LBCbGTELEHA.2364@cpmsftngxa10.phx.gbl...
> Hi Victor,
> ADsGetObject Binds to an ADSI object using the *current credentials*. So I
believe it is ok to use OpenProcessToken to
> get user token of this logon session.
>
> Thanks,
> Rhett Gong [MSFT]
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please reply to newsgroups only. Thanks.
>