Re: remote user SID & ConvertStringSecurityDescriptorToSecurityDes

You will never add S-1-5-21-B-B-B to an ACL on MachineA. It will not do anything for you because that SID will never be used nor be valid on MachineA. When the user machineA\Joe connects to machineB MachineB will know the user to be machineB\Joe and that is all it will know.

If machineC\Joe tries to connect and the password is not in sync, the user will be required to supply the correct password and if he doesn't, he will not connect at all unless guest access is allowed and then he will simply be known as guest.

If you want to limit the pipe to administrators, then you set the security so that it only allows administrators. You can't set it so that it is Joe only if he is an Admin.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


mario.beutler wrote:
Joe, thank you for your answer.
Now I'm able to reword my question:

"Limit the access of a Named Pipe to user Joe"
The machines of a LAN aren't domain joined, and MachineA\Joe account
that has the same password as MachineB\Joe. But there is also a
"hacker" machineC with a fake user "Joe" and different password, and
machineA doesn't know that machineC\Joe exists.
SID of machineA\Joe is S-1-5-21-A-A-A; SID of machineB\Joe is S-1-5-21-
B-B-B, SID of machineC\Joe is not known on machineA.
How to limit the access of the Named Pipe on machineA to MachineB\Joe
only? How looks the DACL?

"D:"+SDDL_PROTECTED
"(A;;GRGW;;;S-1-5-21-A-A-A)"
"(D;;GA;;;<all except S-1-5-21-B-B-B and S-1-5-21-A-A-A>)"

Mario

BTW: Is it possible to limit the access to user Joe, but ony if Joe is
an administrator?

.

Relevant Pages
Loading