473,320 Members | 1,838 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Writing DACL only with SetSecurityDescriptorSddlForm

In a C# .Net web page I'm displaying some information from our AD.
Furthermore I have a method allowing replacing a SID in an ACL of a user,
group or computer object.

I use the managedBy attribute a lot, but when this manager resigns, I must
set a new user, and I prefer to give whatever rights the previous manager
had to the newly designated one.
I have my code working, but only when the calling user is an administrator.
Having the right to change permissions (write DACL) is not sufficient.

Here's what I do (simplified):
objAccount is a DirectoryEntry object representing ex. a group or computer.

string strSDDL =
objAccount.ObjectSecurity.GetSecurityDescriptorSdd lForm(System.Security.AccessControl.AccessControlS ections.Access);

// Search for old SID, replace with new one
....

objAccount.ObjectSecurity.SetSecurityDescriptorSdd lForm(strSDDL,
System.Security.AccessControl.AccessControlSection s.Access)

objAccount.InvokeSet("managedBy",
objNewResp.Properties["distinguishedName"].Value.ToString());
objAccount.CommitChanges();
This succeeds if called by an admin, but throws an exception saying "A
constraint violation occurred. (Exception from HRESULT: 0x8007202F)", if the
calling user is not an admin, even if account operator.

I've found KB323749, and it sounds reasonable the problem is the function
trying to set the owner in the SD as well, even though I specify the second
argument on the SetSecurityDescriptorSddlForm method. To me this seems like
an error in the .Net framework, or am I mistaken???
The AccessControlSections.Access value ought to specify DACL only, according
to the documentation.

To verify this is really the problem, I tried to implement the method
suggested in the mentioned article.
The following two lines somewhat solves the problem:
ActiveDs.IADsObjectOptions options =
(ActiveDs.IADsObjectOptions)objAccount.NativeObjec t;
options.SetOption((int)ActiveDs.ADS_OPTION_ENUM.AD S_OPTION_SECURITY_MASK,
ActiveDs.ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_ DACL);
And as such proves the owner to be the problem. However, apparently this is
a global setting. As another part of my web page reads a SD and among others
passes it to the API function AccessCheckByTypeResultList. This suddently
starts to fail, and it reports the SD is not valid (error code: 1338). I can
set the option back to include all aspects of the SD, but it would just be a
matter of time until two users clicks at the same time, and one of the calls
fail. I'd rather not want to implement a semaphore in a web page.

I'm wondering why the second argument on
ObjectSecurity.SetSecurityDescriptorSddlForm doesn't have an effect.
Do I need a patch to fix this???
Thanks in advance,
Jan

Sep 23 '08 #1
1 2432
"Jan Nielsen" <ja*******@online.nospamwrote in message
news:8D**********************************@microsof t.com...
In a C# .Net web page I'm displaying some information from our AD.

Do I need a patch to fix this???
I appreciate that you're using ASP.NET to interface with AD (I also do this
all the time), but your question might possibly get a better / faster
response in the dedicated ADSI newsgroup: microsoft.public.adsi.general.

Anything my old pal Joe Kaplan tells you in there can be taken as gospel...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Sep 23 '08 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

48
by: Joseph | last post by:
Hi I'm writing a commercial program which must be reliable. It has to do some basic reading and writing to and from files on the hard disk, and also to a floppy. I have foreseen a potential...
5
by: Jeong-Gun Lee | last post by:
I'm writing a code of writing a value to a specific memory address. ================================================================= #include <stdio.h> int main() { long air; long...
0
by: desarrollo_cpd_gr | last post by:
I need to know how to set a DACL in a folder using NTFS in order to establish the permissions for the folder, I have already acomplished this with a share object but I also want to put security in...
102
by: Xah Lee | last post by:
i had the pleasure to read the PHP's manual today. http://www.php.net/manual/en/ although Pretty Home Page is another criminal hack of the unix lineage, but if we are here to judge the quality...
3
by: Brian Hampson | last post by:
I've swiped the following code pretty much directly from a technet article, and modified it for my purposes. Something isn't working. I'm trying to 1) create a share on a remote server...
9
by: Jerry C | last post by:
I am trying to write to the errorlog and I am getting the error Cannot open log for source 'Application'. You may not have write access. This is the code: Dim Logevent As New...
16
by: Claudio Grondi | last post by:
I have a 250 Gbyte file (occupies the whole hard drive space) and want to change only eight bytes in this file at a given offset of appr. 200 Gbyte (all other data in that file should remain...
6
by: arne.muller | last post by:
Hello, I've come across some problems reading strucutres from binary files. Basically I've some strutures typedef struct { int i; double x; int n; double *mz;
0
by: =?Utf-8?B?ZGpj?= | last post by:
Hi all, im trying to replace a Dacl on a folder with a new one, or, delete some of the ace in the dacl using wmi, anyone have a eg on how to do this. Thanks
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.