Re: Getting all security groups without a token?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 2 May 2008 13:39:47 -0500
I think this will work on a Win2K domain although I don't know if these APIs
are backported to Win2K, so you might want to check that. Hopefully your
code won't be running on Win2K.
Regarding access to this attribute, it is normal to have read access to it
for authenticated users (which should apply to local system on a domain
member machine as it will auth to AD as the computer account for the member
server). From what I've seen, you only tend to have access issues if the
domain was set up to not have "authenticated users" in the "pre-win2K
access" group. However, since AD ACLs are so flexible, there are any number
of ways that this access could have been removed. To a certain extent, it
will be on the AD admins of the environment to understand why they have
things a specific way.
Glad that approach looks promising...
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"clarkd4" <clarkd4@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E64B668B-FF6F-4479-9B7F-857B64B5BEC0@xxxxxxxxxxxxxxxx
Hi Joe,
Awesome. That appears to do exactly what I need. I can use
AuthzInitializeContextFromSid to construct a pseudo-token structure, and
then
use AuthzGetInformationFromContext(AuthzContextInfoGroupsSids) in
combination
with EqualSid to check group memberships.
Will this work for Windows 2000 domains as well?
I noticed a caution in the notes for AuthzInitializeContextFromSid about
access to the tokenGroupsGlobalAndUniversal attribute. The function is
working fine in my test environment, but what can I tell users to fix when
it
returns ACCESS_DENIED? Is that likely to happen if the service is running
as
LocalSystem on a domain member?
Thanks so much for your help!
Doug
"Joe Kaplan" wrote:
Hi Doug,
If you were already using the NT token-based APIs for doing this type of
thing you might be interested in the Authz APIs that provide some
functional
equivalents without the requirement of getting a kernel mode login token
for
the user.
You might start with the various AuthZInitializeContextxxxx functions to
see
if they get you going in the direction you want.
Under the hood, the code will still end up querying the directory to get
the
user's group membership (it uses tokenGroupsGlobalAndUniversal instead of
tokenGroups, so you won't get any DLGs this way). Authz uses RPC APIs
instead of LDAP to do the query, but the overall results are similar,
just
the wire traffic is different.
If you can avoid doing the LDAP query, that is probably easiest.
I'm sure we can fix the operations error if you need to as that is
usually
just the result of binding to the directory as the anonymous user instead
of
a valid one which typically results from something that went wrong with
the
passing of credentials in the bind operation. However, there is no point
in
dealing with that unless we have to.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
.
- Follow-Ups:
- Re: Getting all security groups without a token?
- From: DaveMo
- Re: Getting all security groups without a token?
- References:
- Getting all security groups without a token?
- From: clarkd4
- Re: Getting all security groups without a token?
- From: Joe Kaplan
- Re: Getting all security groups without a token?
- From: clarkd4
- Getting all security groups without a token?
- Prev by Date: Re: Getting all security groups without a token?
- Next by Date: RE: Diagnosing crypto problem
- Previous by thread: Re: Getting all security groups without a token?
- Next by thread: Re: Getting all security groups without a token?
- Index(es):
Relevant Pages
|
