RE: Creating a directory with security attributes.

From: Kevin Burton (KevinBurton_at_discussions.microsoft.com)
Date: 11/22/04 

Date: Mon, 22 Nov 2004 09:01:12 -0800

One more piece of information the call:

ConvertStringSidToSid(_T("DU"), &pSid)

Also returns an error, "The security ID structure is invalid"

Does anyone know how I can create a directory specifying access permissions
for domain users?

Thank you.

Kevin

"Steve Friedl [MVP]" wrote:

> "Kevin Burton" wrote:
>
> > TCHAR * szSD = TEXT("D:") // Discretionary ACL
> > TEXT("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> > TEXT("(D;OICI;GA;;;AN)") // Deny access to anonymous logon
> > TEXT("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to authenticated users
> > TEXT("(A;OICI;GA;;;BA)") // Allow full control to administrators
> > TEXT("(A;OICI;GA;;;DU)"); // Allow full control to domain users
>
> It seems that the problem is with the "AN" and "DU" tokens that specify
> "Anonymous users" and "Domain Users" - I'm not sure why this is the case. You
> can see for yourself by making a small test program that comments these lines
> out:
>
> When these tokens are converted to the the S-format, it seems to work:
>
> #define _WIN32_WINNT 0x0500
> #include <windows.h>
> #include <sddl.h>
> #include <stdio.h>
> #include <tchar.h>
>
> int __cdecl _tmain(void)
> {
> SECURITY_ATTRIBUTES sa;
>
> ZeroMemory(&sa, sizeof sa);
>
> sa.nLength = sizeof sa;
> sa.bInheritHandle = FALSE;
>
> const TCHAR * szSD =
> _T("D:") // Discretionary ACL
> _T("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> // _T("(D;OICI;GA;;;AU)") // Deny access to anonymous logon
> _T("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to domain users
> _T("(A;OICI;GA;;;BA)") // Allow full control to administrators
> // _T("(A;OICI;GA;;;DU)") // Allow full control to domain users
> ;
>
> if ( ! ConvertStringSecurityDescriptorToSecurityDescriptor(
> szSD,
> SDDL_REVISION_1,
> &sa.lpSecurityDescriptor,
> NULL) )
> {
> printf("failed: err#%ld\n", GetLastError() );
> }
> else
> {
> printf("created OK\n");
> }
>
> return 0;
> }
>
> With this more limited string, it works (I figured it out by trial-and-error).
>
> Replacing these tokens for the ACE trustee (ref:
> http://msdn.microsoft.com/library/en-us/secauthz/security/sid_strings.asp )
> with the S-format seems to help:
>
> // deny access to anonymous logins
> > TEXT("(D;OICI;GA;;;AN)") // doesn't seem to work
> > TEXT("(D;OICI;GA;;;S-1-5-7)") // seems to work OK
>
> Finding the SID for the domain users is left as an exercise to the reader.
> Not sure if this is a bug or not...
>
> Steve

Relevant Pages

  • Re: .LDB file has no security tab
    ... The Share permissions on the hidden share are ... Domain Users, Read & Execute – ... It has no security tab on it. ... That is the .LDB file auto-deletes and has a security tab. ...
    (microsoft.public.windows.server.general)
  • Re: .LDB file has no security tab
    ... The Share permissions on the hidden share are ... Domain Users, Read & Execute – ... It has no security tab on it. ... That is the .LDB file auto-deletes and has a security tab. ...
    (microsoft.public.windows.server.general)
  • Re: permission/security issues
    ... If you talk about domain users, also the Administrator is a domain user, so you kicked off yourself. ... Hopefully you have a recent backup then just rename the top level folder and restore the backup. ... Try with the advanced tab under security to take ownership of the folder and reset the permissions after that. ... except the user with the home settings. ...
    (microsoft.public.windows.file_system)
  • Re: Domain Users Privileges
    ... RMouse on the folder that is shared and pick "Sharing and Security". ... > By default the domain users only have Read-only access on ... > config in the local policies that the domain user can have ...
    (microsoft.public.security)
  • Re: let user change permission on his home-folder
    ... your script presumes that standard "domain users" have full permission ... acl instead of replacing it. ... folder and you should not be having any problem. ... perhaps there is a permission or security issue with your ...
    (microsoft.public.scripting.vbscript)