Re: remote user SID & ConvertStringSecurityDescriptorToSecurityDescriptor

Your post is a little confusing... But unless you are using domain accounts or you have synced user accounts this isn't going to work. You cannot take the SID of a local user from MachineA and use it on MachineB SDs. The SID will never be seen there.

If you want to use to standalone or member machines and their local users, you need to create the same userid with the same password on both machines and use the SID of the user on the machine with the named pipe (not the SID of the user on the calling computer) to ACL the SD. For example... You have UserA with password hello on MachineA, you create UserA with password hello on MachineB. Now when UserA on MachineB connects to MachineB, they can... Plus they will be known locally on MachineB as \\MachineB\UserA - not \\MachineA\UserA.


Alternately if you have MachineA and MachineB in DomainA or in trusting domains DomainA and DomainB and the user is from DomainA or DomainB then you can use the SID from DomainA or DomainB as it will be visible to MachineB.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


mario.beutler wrote:
My service I use ConvertStringSecurityDescriptorToSecurityDescriptor
to create a DACL for a Named Pipe.

Hello,

my program creates a Named Pipe with SECURITY_ATTRIBUTES (DACL) on
machine ABC which
should limit the access to SID (S-1-5-21-X-Y-Z) of the active user on
a remote machine XYZ.

My DACL is:
"D:"+SDDL_PROTECTED
"(A;;GRGW;;;S-1-5-21-X-Y-Z)"

It seems that the user on machine XYZ have no access to the Named Pipe
on machine ABC, if the user have no account on machine ABC. So the
syntax of the SID string seems to be incorrect. Perhaps the syntax

"(A;;GRGW;;;\\XYZ\S-1-5-21-X-Y-Z)"

is correct. Or have I to use MakeAbsoluteSD to make an network wide
valid SID?

Thank you for your help or hints,

Mario Beutler

.

Relevant Pages

  • Re: User Profiles and Setting from 2003 32bit to 2003 64bit?
    ... Microsoft Online Support ... Microsoft Global Technical Support Center ... | I have Users in DomainA, on Terminal Server MachineA, with user profiles ... | over to MachineB. ...
    (microsoft.public.windows.server.migration)
  • Unable to access different domain share folder
    ... My NT logon is to DomainA. ... Server) register under DomainB. ... But i able to share out my local folders, and go to MachineB to copy ...
    (microsoft.public.windows.server.general)
  • Access Folder in Different Domain
    ... My NT logon is to DomainA. ... Server) register under DomainB. ... But i able to share out my local folders, and go to MachineB to copy ...
    (microsoft.public.win2000.networking)
  • ADMT - SID History Issues, Cannot access resources in old domain
    ... Lets call them DomainA, DomainB, DomainC and Newforest. ... user accounts, all group memberships are correctly migrated. ... 2004-12-06 10:57:35 Active Directory Migration Tool, ... 2004-12-06 10:58:19 SID for ENITYGROUP\rhondah added to the SID ...
    (microsoft.public.windows.server.migration)