By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,120 Members | 1,958 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,120 IT Pros & Developers. It's quick & easy.

Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET

P: n/a
Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object. (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams = LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams = LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams = LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Nov 16 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..
Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]

Nov 16 '05 #2

P: n/a
Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/U...ampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?
Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...
Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..
Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]

Nov 16 '05 #3

P: n/a
Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp
http://msdn.microsoft.com/library/de...SecNetAP05.asp
http://msdn.microsoft.com/library/de...itysection.asp
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...
Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/U...ampleGuid=e609 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little bit and it seemed to work. Are there any issues with using this namespace?

Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;
AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED; switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...
Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code), - or, run this from a server type COM+ application, using a power user's identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way you don't have to add System.Management stuff to your code, and you don't have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..
Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ]


Nov 16 '05 #4

P: n/a
Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp http://msdn.microsoft.com/library/de...SecNetAP05.asp http://msdn.microsoft.com/library/de...itysection.asp

"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...
Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/U...ampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a

little
bit and it seemed to work. Are there any issues with using this

namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =

(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType =

(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT | (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...
Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting to WMI, however, ASPNET has no privileges to change the filesystem object ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code), - or, run this from a server type COM+ application, using a power user's identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way you don't have to add System.Management stuff to your code, and you don't have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..
> Project:
> ----------------------------
>
> I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
> utilizing ActiveDirectory and windows security to manage the
> permissions. Why reinvent the wheel, right? Everything so far is
> working well with the Active Directory. The problem I am having is
> with adding File Permissions to a directory. I am currently using
> some code courtesy of "Willy Denoyette [MVP]"
>
> Problem:
> ----------------------------
>
> When I try to add user permissions to a specific folder using the
same > code in a sample console app it works correctly. When I execute the
> code from ASP.NET I get a return code of 1307, everytime.
>
> Which means - 1307 This security ID may not be assigned as the owner
> of this object.
> (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
>
> Can anyone tell me why this is happening? Willy?
>
> Environment:
> ----------------------------
>
> I am developing with Framework 1.1 and Windows XP. The users are
> coming from AD on a Windows 2003 Server.
>
> I have given ASPNET object full access to the folder C:\test. I have > also give ASPNET object full access to Root/CIMV2 in
> CompMgmt.msc/Services and Apps/WMI Control
>
> Code:
> ----------------------------
> The DsSettings Object is just a simple class tht contains the Login
> and Path information for LDAP.
>
>
> public bool GrantPermission(string username, string domain, DsSettings > settings)
> {
> try
> {
>
> byte[] bSid = (byte[])DsWrapper.GetUser(username,
> settings).DsEntry.Properties["objectSID"].Value;
> ManagementObject LogicalFileSecuritySetting = new
> ManagementObject( new ManagementPath(
> @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> ManagementBaseObject outParams;
> outParams =
> LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> null, null);
>
> ManagementBaseObject Descriptor =
> ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
> ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> Descriptor.Properties["DACL"].Value ) );
>
> ManagementObject newTrusteeUser = ( new ManagementClass(
> @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> newTrusteeUser["Domain"] = domain;
> newTrusteeUser["Name"] = username;
> newTrusteeUser["SID"] = bSid;
>
> ManagementObject newACEUser = ( new ManagementClass(
> @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> newACEUser["Trustee"] = newTrusteeUser;
> newACEUser["AceFlags"] = 3;
> newACEUser["AceType"] = 0;
> newACEUser["AccessMask"] = 2032127;// Full Access Mask
> ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> {newACEUser};
> Descriptor.Properties["DACL"].Value = DACLObjectNew;
> ManagementBaseObject inParams = null;
> inParams =
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > inParams["Descriptor"] = Descriptor;
> outParams =
> LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> inParams, null);
>
> // This line is where I get a result back of 1307 in ASP.NET
> uint result= (uint)(outParams.Properties["ReturnValue"].Value);
>
> LogicalFileSecuritySetting.Dispose();
> return true;
> }
> catch(Exception exp)
> {
> throw exp;
> }
> }
>
>
> Logs:
> ----------------------------
> C:\WINDOWS\system32\WBEM\Logs\Framework.log
> ----------------------------
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:06.093 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:06.203 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:06.203 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:07.968 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:07.984 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:07.984 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.000 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.093 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.093 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.203 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.203 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.218 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.218 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.312 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.312 thread:2540
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]



Nov 16 '05 #5

P: n/a
One more question in regards to this. I was able to add a permission. Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...
Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp

http://msdn.microsoft.com/library/de...SecNetAP05.asp

http://msdn.microsoft.com/library/de...itysection.asp


"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...
Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?
Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/U...ampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a

little
bit and it seemed to work. Are there any issues with using this

namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned // object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =

(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType =

(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT | (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...
> Ben,
>
> Your code run's as "ASPNET" and uses ASPNET's access token when

connecting
> to WMI, however, ASPNET has no privileges to change the filesystem

object
> ACL's.
> So you need to run this code with elevated privileges, here you have a > number of options:
> - or, impersonate a power user (using your web config file, or in

code),
> - or, run this from a server type COM+ application, using a power

user's
> identity.
> I would also suggest to use the System.DirectoryServices namespace (and add
> a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that
way
> you don't have to add System.Management stuff to your code, and you

don't
> have to care about WMI security settings.
>
>
> Willy.
>
> "Ben Dewey" <bd******@hotmail.com> wrote in message
> news:a7***********************@posting.google.com. ..
> > Project:
> > ----------------------------
> >
> > I am creating a HTTPS File Transfer App using ASP.NET and C#. I
am > > utilizing ActiveDirectory and windows security to manage the
> > permissions. Why reinvent the wheel, right? Everything so far is
> > working well with the Active Directory. The problem I am having is > > with adding File Permissions to a directory. I am currently using
> > some code courtesy of "Willy Denoyette [MVP]"
> >
> > Problem:
> > ----------------------------
> >
> > When I try to add user permissions to a specific folder using the

same > > code in a sample console app it works correctly. When I execute the > > code from ASP.NET I get a return code of 1307, everytime.
> >
> > Which means - 1307 This security ID may not be assigned as the owner > > of this object.
> > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> >
> > Can anyone tell me why this is happening? Willy?
> >
> > Environment:
> > ----------------------------
> >
> > I am developing with Framework 1.1 and Windows XP. The users are
> > coming from AD on a Windows 2003 Server.
> >
> > I have given ASPNET object full access to the folder C:\test. I have > > also give ASPNET object full access to Root/CIMV2 in
> > CompMgmt.msc/Services and Apps/WMI Control
> >
> > Code:
> > ----------------------------
> > The DsSettings Object is just a simple class tht contains the Login > > and Path information for LDAP.
> >
> >
> > public bool GrantPermission(string username, string domain, DsSettings > > settings)
> > {
> > try
> > {
> >
> > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > settings).DsEntry.Properties["objectSID"].Value;
> > ManagementObject LogicalFileSecuritySetting = new
> > ManagementObject( new ManagementPath(
> > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> > ManagementBaseObject outParams;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > null, null);
> >
> > ManagementBaseObject Descriptor =
> > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> > Descriptor.Properties["DACL"].Value ) );
> >
> > ManagementObject newTrusteeUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > newTrusteeUser["Domain"] = domain;
> > newTrusteeUser["Name"] = username;
> > newTrusteeUser["SID"] = bSid;
> >
> > ManagementObject newACEUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > newACEUser["Trustee"] = newTrusteeUser;
> > newACEUser["AceFlags"] = 3;
> > newACEUser["AceType"] = 0;
> > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> > {newACEUser};
> > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > ManagementBaseObject inParams = null;
> > inParams =
> >

LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
> > inParams["Descriptor"] = Descriptor;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > inParams, null);
> >
> > // This line is where I get a result back of 1307 in ASP.NET
> > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> >
> > LogicalFileSecuritySetting.Dispose();
> > return true;
> > }
> > catch(Exception exp)
> > {
> > throw exp;
> > }
> > }
> >
> >
> > Logs:
> > ----------------------------
> > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > ----------------------------
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.093 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:06.203 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.203 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.968 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:07.984 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.984 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.000 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.093 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.093 thread:1916
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.203 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.203 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.218 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.218 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.312 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.312 thread:2540
> >

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]
>
>



Nov 16 '05 #6

P: n/a
You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

....

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...
One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...
Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
> Check 'em out
>
>

http://msdn.microsoft.com/library/de...ersonation.asp
>

http://msdn.microsoft.com/library/de...SecNetAP05.asp
>

http://msdn.microsoft.com/library/de...itysection.asp
>
>
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:Ob**************@TK2MSFTNGP12.phx.gbl...
> > Willy,
> >
> > How do I set up the impersonation through web.config?
> >
> > I tried using this code below, but I kept getting a "The security ID
> > structure is invalid." error. Is this what you were talking about

doing?
> >
> > Also, have you ever heard of the Microsoft.Win32.Security Namespace
> >
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609
> > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
> little
> > bit and it seemed to work. Are there any issues with using this
> namespace?
> >
> >
> > Code:
> > --------------------------------------
> > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> > object secuDesc = secuUtil.GetSecurityDescriptor(
> > this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > if (secuDesc != null)
> > {
> > // Since we asked for ADS_SD_FORMAT_IID format, that means the returned > > // object is IADsSecurityDescriptor. So we can use the methods on
> > this
> > // object to get more information about the secutity descrptor.
> > ActiveDs.IADsSecurityDescriptor folderSD =
> (IADsSecurityDescriptor)secuDesc;
> >
> > AccessControlEntry newAce = new AccessControlEntryClass();
> > ActiveDs.IADsAccessControlList folderAcl =
> > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
> >
> > newAce.AceType =
> (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> > switch (permissionType)
> > {
> > case DsPermissionTypes.Read:
> > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> > break;
> > case DsPermissionTypes.Write:
> > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> > DsPermissions.FILE_ADD_SUBDIRECTORY;
> > break;
> > case DsPermissionTypes.Delete:
> > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> > DsPermissions.FILE_TRAVERSE;
> > break;
> > case DsPermissionTypes.ChangePermissions:
> > newAce.AccessMask = DsPermissions.WRITE_DAC |
> > DsPermissions.READ_CONTROL;
> > break;
> > }
> >
> > newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; > >

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT
> > |

(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
> >
> > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> > newAce.Trustee = @"bdewey";
> > newAce.AccessMask = -1;
> >
> > string trustee = (domain==null)?username:domain + @"\" + username;
> > newAce.Trustee = trustee;
> >
> > folderAcl.AddAce(newAce);
> > folderSD.DiscretionaryAcl = folderAcl;
> >
> > secuUtil.SetSecurityDescriptor(this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > folderSD,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > }
> >
> > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
> > news:e0**************@tk2msftngp13.phx.gbl...
> > > Ben,
> > >
> > > Your code run's as "ASPNET" and uses ASPNET's access token when
> connecting
> > > to WMI, however, ASPNET has no privileges to change the filesystem
> object
> > > ACL's.
> > > So you need to run this code with elevated privileges, here you
> > > have a > > > number of options:
> > > - or, impersonate a power user (using your web config file, or in
> code),
> > > - or, run this from a server type COM+ application, using a power
> user's
> > > identity.
> > > I would also suggest to use the System.DirectoryServices namespace

(and
> > add
> > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that > way
> > > you don't have to add System.Management stuff to your code, and you
> don't
> > > have to care about WMI security settings.
> > >
> > >
> > > Willy.
> > >
> > > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > > news:a7***********************@posting.google.com. ..
> > > > Project:
> > > > ----------------------------
> > > >
> > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I am > > > > utilizing ActiveDirectory and windows security to manage the
> > > > permissions. Why reinvent the wheel, right? Everything so far
> > > > is
> > > > working well with the Active Directory. The problem I am having is > > > > with adding File Permissions to a directory. I am currently
> > > > using
> > > > some code courtesy of "Willy Denoyette [MVP]"
> > > >
> > > > Problem:
> > > > ----------------------------
> > > >
> > > > When I try to add user permissions to a specific folder using the

same
> > > > code in a sample console app it works correctly. When I execute the > > > > code from ASP.NET I get a return code of 1307, everytime.
> > > >
> > > > Which means - 1307 This security ID may not be assigned as the owner > > > > of this object.
> > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > > >
> > > > Can anyone tell me why this is happening? Willy?
> > > >
> > > > Environment:
> > > > ----------------------------
> > > >
> > > > I am developing with Framework 1.1 and Windows XP. The users are
> > > > coming from AD on a Windows 2003 Server.
> > > >
> > > > I have given ASPNET object full access to the folder C:\test. I

have
> > > > also give ASPNET object full access to Root/CIMV2 in
> > > > CompMgmt.msc/Services and Apps/WMI Control
> > > >
> > > > Code:
> > > > ----------------------------
> > > > The DsSettings Object is just a simple class tht contains the Login > > > > and Path information for LDAP.
> > > >
> > > >
> > > > public bool GrantPermission(string username, string domain,

DsSettings
> > > > settings)
> > > > {
> > > > try
> > > > {
> > > >
> > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > > settings).DsEntry.Properties["objectSID"].Value;
> > > > ManagementObject LogicalFileSecuritySetting = new
> > > > ManagementObject( new ManagementPath(
> > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> > > > ManagementBaseObject outParams;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > > > null, null);
> > > >
> > > > ManagementBaseObject Descriptor =
> > > > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> > > > Descriptor.Properties["DACL"].Value ) );
> > > >
> > > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > > newTrusteeUser["Domain"] = domain;
> > > > newTrusteeUser["Name"] = username;
> > > > newTrusteeUser["SID"] = bSid;
> > > >
> > > > ManagementObject newACEUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > > newACEUser["Trustee"] = newTrusteeUser;
> > > > newACEUser["AceFlags"] = 3;
> > > > newACEUser["AceType"] = 0;
> > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> > > > {newACEUser};
> > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > > ManagementBaseObject inParams = null;
> > > > inParams =
> > > >
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
> > > > inParams["Descriptor"] = Descriptor;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > > > inParams, null);
> > > >
> > > > // This line is where I get a result back of 1307 in ASP.NET
> > > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > > >
> > > > LogicalFileSecuritySetting.Dispose();
> > > > return true;
> > > > }
> > > > catch(Exception exp)
> > > > {
> > > > throw exp;
> > > > }
> > > > }
> > > >
> > > >
> > > > Logs:
> > > > ----------------------------
> > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > > ----------------------------
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:06.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.968 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.000 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > >
> > >
> >
> >
>
>



Nov 16 '05 #7

P: n/a
Actually I figured it out. Thanks anyways. Anyone who wants to know how to
revoke or remove permissions from an NTFS Store using ActiveDs see the code
below.

DsPermissions is just a class that i use to generalize the permissions for
my needs.

public bool RevokePermission(string username, string domain,
DsPermissionTypes permissionType)
{
try
{
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
// Find old Ace and Remove it.
AccessControlEntry oldAce = null;
// Get Ace enumerator.
IEnumerator aceEnum = folderAcl.GetEnumerator();
while (aceEnum.MoveNext())
{
//Get Information about Ace.
ActiveDs.IADsAccessControlEntry ace =
(ActiveDs.IADsAccessControlEntry)aceEnum.Current;
if (ace.Trustee.ToLower() == domain.ToLower() + @"\" + username.ToLower() ||
ace.Trustee.ToLower() == username.ToLower())
{
switch (permissionType)
{
case DsPermissionTypes.Read:
if ((ace.AccessMask &
DsPermissions.FILE_GENERIC_READ)==DsPermissions.FI LE_GENERIC_READ)
ace.AccessMask = ace.AccessMask ^ DsPermissions.FILE_GENERIC_READ;
break;
case DsPermissionTypes.Write:
if ((ace.AccessMask &
DsPermissions.FILE_GENERIC_WRITE)==DsPermissions.F ILE_GENERIC_WRITE)
ace.AccessMask = ace.AccessMask ^ DsPermissions.FILE_GENERIC_WRITE;
break;
case DsPermissionTypes.Delete:
if ((ace.AccessMask & DsPermissions.DELETE)==DsPermissions.DELETE)
ace.AccessMask = ace.AccessMask ^ DsPermissions.DELETE ^
DsPermissions.FILE_DELETE_CHILD;
break;
case DsPermissionTypes.ChangePermissions:
if ((ace.AccessMask & DsPermissions.WRITE_DAC)==DsPermissions.WRITE_DAC)
ace.AccessMask = ace.AccessMask ^ DsPermissions.READ_CONTROL ^
DsPermissions.WRITE_DAC;;
break;
}
}
}
folderSD.DiscretionaryAcl = folderAcl;
secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
return true;
}
else
{
return false;
}
}
catch(Exception exp)
{
throw exp;
}
}
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...
One more question in regards to this. I was able to add a permission. Now, what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...
Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp

http://msdn.microsoft.com/library/de...SecNetAP05.asp

http://msdn.microsoft.com/library/de...itysection.asp


"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...
> Willy,
>
> How do I set up the impersonation through web.config?
>
> I tried using this code below, but I kept getting a "The security ID
> structure is invalid." error. Is this what you were talking about

doing?
>
> Also, have you ever heard of the Microsoft.Win32.Security Namespace
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609
> 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
little
> bit and it seemed to work. Are there any issues with using this
namespace?
>
>
> Code:
> --------------------------------------
> ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> object secuDesc = secuUtil.GetSecurityDescriptor(
> this.FolderName,
> (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> if (secuDesc != null)
> {
> // Since we asked for ADS_SD_FORMAT_IID format, that means the returned > // object is IADsSecurityDescriptor. So we can use the methods on this > // object to get more information about the secutity descrptor.
> ActiveDs.IADsSecurityDescriptor folderSD =
(IADsSecurityDescriptor)secuDesc;
>
> AccessControlEntry newAce = new AccessControlEntryClass();
> ActiveDs.IADsAccessControlList folderAcl =
> (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
>
> newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> switch (permissionType)
> {
> case DsPermissionTypes.Read:
> newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> break;
> case DsPermissionTypes.Write:
> newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> DsPermissions.FILE_ADD_SUBDIRECTORY;
> break;
> case DsPermissionTypes.Delete:
> newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> DsPermissions.FILE_TRAVERSE;
> break;
> case DsPermissionTypes.ChangePermissions:
> newAce.AccessMask = DsPermissions.WRITE_DAC |
> DsPermissions.READ_CONTROL;
> break;
> }
>
> newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; >

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT
> |

(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
>
> newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> newAce.Trustee = @"bdewey";
> newAce.AccessMask = -1;
>
> string trustee = (domain==null)?username:domain + @"\" + username;
> newAce.Trustee = trustee;
>
> folderAcl.AddAce(newAce);
> folderSD.DiscretionaryAcl = folderAcl;
>
> secuUtil.SetSecurityDescriptor(this.FolderName,
> (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> folderSD,
> (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> }
>
> "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message > news:e0**************@tk2msftngp13.phx.gbl...
> > Ben,
> >
> > Your code run's as "ASPNET" and uses ASPNET's access token when
connecting
> > to WMI, however, ASPNET has no privileges to change the filesystem
object
> > ACL's.
> > So you need to run this code with elevated privileges, here you have a
> > number of options:
> > - or, impersonate a power user (using your web config file, or in
code),
> > - or, run this from a server type COM+ application, using a power
user's
> > identity.
> > I would also suggest to use the System.DirectoryServices namespace

(and
> add
> > a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
> > you don't have to add System.Management stuff to your code, and
you don't
> > have to care about WMI security settings.
> >
> >
> > Willy.
> >
> > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > news:a7***********************@posting.google.com. ..
> > > Project:
> > > ----------------------------
> > >
> > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I am > > > utilizing ActiveDirectory and windows security to manage the
> > > permissions. Why reinvent the wheel, right? Everything so far is > > > working well with the Active Directory. The problem I am having is > > > with adding File Permissions to a directory. I am currently using > > > some code courtesy of "Willy Denoyette [MVP]"
> > >
> > > Problem:
> > > ----------------------------
> > >
> > > When I try to add user permissions to a specific folder using the same
> > > code in a sample console app it works correctly. When I execute the > > > code from ASP.NET I get a return code of 1307, everytime.
> > >
> > > Which means - 1307 This security ID may not be assigned as the owner > > > of this object.
> > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > >
> > > Can anyone tell me why this is happening? Willy?
> > >
> > > Environment:
> > > ----------------------------
> > >
> > > I am developing with Framework 1.1 and Windows XP. The users
are > > > coming from AD on a Windows 2003 Server.
> > >
> > > I have given ASPNET object full access to the folder C:\test. I

have
> > > also give ASPNET object full access to Root/CIMV2 in
> > > CompMgmt.msc/Services and Apps/WMI Control
> > >
> > > Code:
> > > ----------------------------
> > > The DsSettings Object is just a simple class tht contains the

Login > > > and Path information for LDAP.
> > >
> > >
> > > public bool GrantPermission(string username, string domain,

DsSettings
> > > settings)
> > > {
> > > try
> > > {
> > >
> > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > settings).DsEntry.Properties["objectSID"].Value;
> > > ManagementObject LogicalFileSecuritySetting = new
> > > ManagementObject( new ManagementPath(
> > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); > > > ManagementBaseObject outParams;
> > > outParams =
> > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > > null, null);
> > >
> > > ManagementBaseObject Descriptor =
> > > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( > > > Descriptor.Properties["DACL"].Value ) );
> > >
> > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > newTrusteeUser["Domain"] = domain;
> > > newTrusteeUser["Name"] = username;
> > > newTrusteeUser["SID"] = bSid;
> > >
> > > ManagementObject newACEUser = ( new ManagementClass(
> > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > newACEUser["Trustee"] = newTrusteeUser;
> > > newACEUser["AceFlags"] = 3;
> > > newACEUser["AceType"] = 0;
> > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] > > > {newACEUser};
> > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > ManagementBaseObject inParams = null;
> > > inParams =
> > >
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > > > inParams["Descriptor"] = Descriptor;
> > > outParams =
> > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > > inParams, null);
> > >
> > > // This line is where I get a result back of 1307 in ASP.NET
> > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > >
> > > LogicalFileSecuritySetting.Dispose();
> > > return true;
> > > }
> > > catch(Exception exp)
> > > {
> > > throw exp;
> > > }
> > > }
> > >
> > >
> > > Logs:
> > > ----------------------------
> > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > ----------------------------
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:06.093 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:06.203 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:06.203 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:07.968 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:07.984 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:07.984 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.000 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.093 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.093 thread:1916
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.203 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.203 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.218 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.218 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.312 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.312 thread:2540
> > >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> ]
> >
> >
>
>



Nov 16 '05 #8

P: n/a
I am assuming that

["AccessMask"].Value & (~Access.Delete);
is the same as
["AccessMask"].Value ^ Access.Delete;

If so I got it right. see my other post.
"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:Oy**************@TK2MSFTNGP12.phx.gbl...
You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...
One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...
Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
> Check 'em out
>
>

http://msdn.microsoft.com/library/de...ersonation.asp
>

http://msdn.microsoft.com/library/de...SecNetAP05.asp
>

http://msdn.microsoft.com/library/de.../en-us/cpgenre f/html/gngrfidentitysection.asp
>
>
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:Ob**************@TK2MSFTNGP12.phx.gbl...
> > Willy,
> >
> > How do I set up the impersonation through web.config?
> >
> > I tried using this code below, but I kept getting a "The security ID > > structure is invalid." error. Is this what you were talking about
doing?
> >
> > Also, have you ever heard of the Microsoft.Win32.Security Namespace
> >
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609
> > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a > little
> > bit and it seemed to work. Are there any issues with using this
> namespace?
> >
> >
> > Code:
> > --------------------------------------
> > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> > object secuDesc = secuUtil.GetSecurityDescriptor(
> > this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > if (secuDesc != null)
> > {
> > // Since we asked for ADS_SD_FORMAT_IID format, that means the

returned
> > // object is IADsSecurityDescriptor. So we can use the methods on
> > this
> > // object to get more information about the secutity descrptor.
> > ActiveDs.IADsSecurityDescriptor folderSD =
> (IADsSecurityDescriptor)secuDesc;
> >
> > AccessControlEntry newAce = new AccessControlEntryClass();
> > ActiveDs.IADsAccessControlList folderAcl =
> > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
> >
> > newAce.AceType =
> (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> > switch (permissionType)
> > {
> > case DsPermissionTypes.Read:
> > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> > break;
> > case DsPermissionTypes.Write:
> > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> > DsPermissions.FILE_ADD_SUBDIRECTORY;
> > break;
> > case DsPermissionTypes.Delete:
> > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> > DsPermissions.FILE_TRAVERSE;
> > break;
> > case DsPermissionTypes.ChangePermissions:
> > newAce.AccessMask = DsPermissions.WRITE_DAC |
> > DsPermissions.READ_CONTROL;
> > break;
> > }
> >
> >

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
> >
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT > > |
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
> >
> > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> > newAce.Trustee = @"bdewey";
> > newAce.AccessMask = -1;
> >
> > string trustee = (domain==null)?username:domain + @"\" + username;
> > newAce.Trustee = trustee;
> >
> > folderAcl.AddAce(newAce);
> > folderSD.DiscretionaryAcl = folderAcl;
> >
> > secuUtil.SetSecurityDescriptor(this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > folderSD,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > }
> >
> > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message > > news:e0**************@tk2msftngp13.phx.gbl...
> > > Ben,
> > >
> > > Your code run's as "ASPNET" and uses ASPNET's access token when
> connecting
> > > to WMI, however, ASPNET has no privileges to change the filesystem > object
> > > ACL's.
> > > So you need to run this code with elevated privileges, here you
> > > have

a
> > > number of options:
> > > - or, impersonate a power user (using your web config file, or in > code),
> > > - or, run this from a server type COM+ application, using a power > user's
> > > identity.
> > > I would also suggest to use the System.DirectoryServices namespace (and
> > add
> > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's,

that
> way
> > > you don't have to add System.Management stuff to your code, and you > don't
> > > have to care about WMI security settings.
> > >
> > >
> > > Willy.
> > >
> > > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > > news:a7***********************@posting.google.com. ..
> > > > Project:
> > > > ----------------------------
> > > >
> > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I
am
> > > > utilizing ActiveDirectory and windows security to manage the
> > > > permissions. Why reinvent the wheel, right? Everything so far
> > > > is
> > > > working well with the Active Directory. The problem I am
having
is
> > > > with adding File Permissions to a directory. I am currently
> > > > using
> > > > some code courtesy of "Willy Denoyette [MVP]"
> > > >
> > > > Problem:
> > > > ----------------------------
> > > >
> > > > When I try to add user permissions to a specific folder using
the same
> > > > code in a sample console app it works correctly. When I execute the
> > > > code from ASP.NET I get a return code of 1307, everytime.
> > > >
> > > > Which means - 1307 This security ID may not be assigned as the

owner
> > > > of this object.
> > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > > >
> > > > Can anyone tell me why this is happening? Willy?
> > > >
> > > > Environment:
> > > > ----------------------------
> > > >
> > > > I am developing with Framework 1.1 and Windows XP. The users

are > > > > coming from AD on a Windows 2003 Server.
> > > >
> > > > I have given ASPNET object full access to the folder C:\test. I have
> > > > also give ASPNET object full access to Root/CIMV2 in
> > > > CompMgmt.msc/Services and Apps/WMI Control
> > > >
> > > > Code:
> > > > ----------------------------
> > > > The DsSettings Object is just a simple class tht contains the

Login
> > > > and Path information for LDAP.
> > > >
> > > >
> > > > public bool GrantPermission(string username, string domain,
DsSettings
> > > > settings)
> > > > {
> > > > try
> > > > {
> > > >
> > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > > settings).DsEntry.Properties["objectSID"].Value;
> > > > ManagementObject LogicalFileSecuritySetting = new
> > > > ManagementObject( new ManagementPath(
> > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); > > > > ManagementBaseObject outParams;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor", > > > > null, null);
> > > >
> > > > ManagementBaseObject Descriptor =
> > > >

((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
> > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( > > > > Descriptor.Properties["DACL"].Value ) );
> > > >
> > > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > > newTrusteeUser["Domain"] = domain;
> > > > newTrusteeUser["Name"] = username;
> > > > newTrusteeUser["SID"] = bSid;
> > > >
> > > > ManagementObject newACEUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > > newACEUser["Trustee"] = newTrusteeUser;
> > > > newACEUser["AceFlags"] = 3;
> > > > newACEUser["AceType"] = 0;
> > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] > > > > {newACEUser};
> > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > > ManagementBaseObject inParams = null;
> > > > inParams =
> > > >
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > > > > inParams["Descriptor"] = Descriptor;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor", > > > > inParams, null);
> > > >
> > > > // This line is where I get a result back of 1307 in ASP.NET
> > > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > > >
> > > > LogicalFileSecuritySetting.Dispose();
> > > > return true;
> > > > }
> > > > catch(Exception exp)
> > > > {
> > > > throw exp;
> > > > }
> > > > }
> > > >
> > > >
> > > > Logs:
> > > > ----------------------------
> > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > > ----------------------------
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:06.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.968 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.000 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
> > ]
> > >
> > >
> >
> >
>
>



Nov 16 '05 #9

P: n/a
Ben,

No it's not, you are flipping the bit when using XOR (^), so in your
sample:

["AccessMask"].Value ^ Access.Delete;

When Delete was set, you turn it OFF, but if it was not set you turn it ON,
I don't thing this is what you want.

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:uo*************@TK2MSFTNGP11.phx.gbl...
I am assuming that

["AccessMask"].Value & (~Access.Delete);
is the same as
["AccessMask"].Value ^ Access.Delete;

If so I got it right. see my other post.
"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:Oy**************@TK2MSFTNGP12.phx.gbl...
You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...
> One more question in regards to this. I was able to add a permission.
> Now,
> what is the best way to go about revoking permissions? Is there away
> to
> Find the AceEntry then get the Mask and do a
> Mask ! GENERIC_WRITE.
>
> Is there a logical operator to remove a flag?
>
> If this is not possible I am was thinking about
> 1. Finding the AceEntry
> 2. Saving it to a variable.
> 3. Removing the Entry
> 4. Recreating the Entry with the active permissions still available
> 5. Adding the AceEntry back.
>
> Is this good?
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:O8*************@tk2msftngp13.phx.gbl...
>> Thanks alot guys it worked. I set up to impersonate the admin account
>> and
>> this code works now. Thanks.
>> "Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
>> news:eO**************@TK2MSFTNGP09.phx.gbl...
>> > Check 'em out
>> >
>> >
>>
> http://msdn.microsoft.com/library/de...ersonation.asp >> >
>>
> http://msdn.microsoft.com/library/de...SecNetAP05.asp >> >
>>
> http://msdn.microsoft.com/library/de.../en-us/cpgenre f/html/gngrfidentitysection.asp >> >
>> >
>> > "Ben Dewey" <be*******@scientiae.com> wrote in message
>> > news:Ob**************@TK2MSFTNGP12.phx.gbl...
>> > > Willy,
>> > >
>> > > How do I set up the impersonation through web.config?
>> > >
>> > > I tried using this code below, but I kept getting a "The security ID >> > > structure is invalid." error. Is this what you were talking about
>> doing?
>> > >
>> > > Also, have you ever heard of the Microsoft.Win32.Security
>> > > Namespace
>> > >
>> >
>>
> (http://www.gotdotnet.com/Community/U...ampleGuid=e609 >> > > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a >> > little
>> > > bit and it seemed to work. Are there any issues with using this
>> > namespace?
>> > >
>> > >
>> > > Code:
>> > > --------------------------------------
>> > > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
>> > > object secuDesc = secuUtil.GetSecurityDescriptor(
>> > > this.FolderName,
>> > > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
>> > > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
>> > > if (secuDesc != null)
>> > > {
>> > > // Since we asked for ADS_SD_FORMAT_IID format, that means the
> returned
>> > > // object is IADsSecurityDescriptor. So we can use the methods on
>> > > this
>> > > // object to get more information about the secutity descrptor.
>> > > ActiveDs.IADsSecurityDescriptor folderSD =
>> > (IADsSecurityDescriptor)secuDesc;
>> > >
>> > > AccessControlEntry newAce = new AccessControlEntryClass();
>> > > ActiveDs.IADsAccessControlList folderAcl =
>> > > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
>> > >
>> > > newAce.AceType =
>> > (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
>> > > switch (permissionType)
>> > > {
>> > > case DsPermissionTypes.Read:
>> > > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
>> > > break;
>> > > case DsPermissionTypes.Write:
>> > > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
>> > > DsPermissions.FILE_ADD_SUBDIRECTORY;
>> > > break;
>> > > case DsPermissionTypes.Delete:
>> > > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
>> > > DsPermissions.FILE_TRAVERSE;
>> > > break;
>> > > case DsPermissionTypes.ChangePermissions:
>> > > newAce.AccessMask = DsPermissions.WRITE_DAC |
>> > > DsPermissions.READ_CONTROL;
>> > > break;
>> > > }
>> > >
>> > >
> newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
>> > >
>> newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT >> > > |
>> (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
>> > >
>> > > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
>> > > newAce.Trustee = @"bdewey";
>> > > newAce.AccessMask = -1;
>> > >
>> > > string trustee = (domain==null)?username:domain + @"\" + username;
>> > > newAce.Trustee = trustee;
>> > >
>> > > folderAcl.AddAce(newAce);
>> > > folderSD.DiscretionaryAcl = folderAcl;
>> > >
>> > > secuUtil.SetSecurityDescriptor(this.FolderName,
>> > > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
>> > > folderSD,
>> > > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
>> > > }
>> > >
>> > > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message >> > > news:e0**************@tk2msftngp13.phx.gbl...
>> > > > Ben,
>> > > >
>> > > > Your code run's as "ASPNET" and uses ASPNET's access token when
>> > connecting
>> > > > to WMI, however, ASPNET has no privileges to change the filesystem >> > object
>> > > > ACL's.
>> > > > So you need to run this code with elevated privileges, here you
>> > > > have
> a
>> > > > number of options:
>> > > > - or, impersonate a power user (using your web config file, or in >> > code),
>> > > > - or, run this from a server type COM+ application, using a power >> > user's
>> > > > identity.
>> > > > I would also suggest to use the System.DirectoryServices namespace >> (and
>> > > add
>> > > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's,
> that
>> > way
>> > > > you don't have to add System.Management stuff to your code, and you >> > don't
>> > > > have to care about WMI security settings.
>> > > >
>> > > >
>> > > > Willy.
>> > > >
>> > > > "Ben Dewey" <bd******@hotmail.com> wrote in message
>> > > > news:a7***********************@posting.google.com. ..
>> > > > > Project:
>> > > > > ----------------------------
>> > > > >
>> > > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I > am
>> > > > > utilizing ActiveDirectory and windows security to manage the
>> > > > > permissions. Why reinvent the wheel, right? Everything so
>> > > > > far
>> > > > > is
>> > > > > working well with the Active Directory. The problem I am having > is
>> > > > > with adding File Permissions to a directory. I am currently
>> > > > > using
>> > > > > some code courtesy of "Willy Denoyette [MVP]"
>> > > > >
>> > > > > Problem:
>> > > > > ----------------------------
>> > > > >
>> > > > > When I try to add user permissions to a specific folder using the >> same
>> > > > > code in a sample console app it works correctly. When I execute > the
>> > > > > code from ASP.NET I get a return code of 1307, everytime.
>> > > > >
>> > > > > Which means - 1307 This security ID may not be assigned as the
> owner
>> > > > > of this object.
>> > > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
>> > > > >
>> > > > > Can anyone tell me why this is happening? Willy?
>> > > > >
>> > > > > Environment:
>> > > > > ----------------------------
>> > > > >
>> > > > > I am developing with Framework 1.1 and Windows XP. The users are >> > > > > coming from AD on a Windows 2003 Server.
>> > > > >
>> > > > > I have given ASPNET object full access to the folder C:\test. I >> have
>> > > > > also give ASPNET object full access to Root/CIMV2 in
>> > > > > CompMgmt.msc/Services and Apps/WMI Control
>> > > > >
>> > > > > Code:
>> > > > > ----------------------------
>> > > > > The DsSettings Object is just a simple class tht contains the
> Login
>> > > > > and Path information for LDAP.
>> > > > >
>> > > > >
>> > > > > public bool GrantPermission(string username, string domain,
>> DsSettings
>> > > > > settings)
>> > > > > {
>> > > > > try
>> > > > > {
>> > > > >
>> > > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
>> > > > > settings).DsEntry.Properties["objectSID"].Value;
>> > > > > ManagementObject LogicalFileSecuritySetting = new
>> > > > > ManagementObject( new ManagementPath(
>> > > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); >> > > > > ManagementBaseObject outParams;
>> > > > > outParams =
>> > > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor", >> > > > > null, null);
>> > > > >
>> > > > > ManagementBaseObject Descriptor =
>> > > > >
> ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
>> > > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( >> > > > > Descriptor.Properties["DACL"].Value ) );
>> > > > >
>> > > > > ManagementObject newTrusteeUser = ( new ManagementClass(
>> > > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
>> > > > > newTrusteeUser["Domain"] = domain;
>> > > > > newTrusteeUser["Name"] = username;
>> > > > > newTrusteeUser["SID"] = bSid;
>> > > > >
>> > > > > ManagementObject newACEUser = ( new ManagementClass(
>> > > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
>> > > > > newACEUser["Trustee"] = newTrusteeUser;
>> > > > > newACEUser["AceFlags"] = 3;
>> > > > > newACEUser["AceType"] = 0;
>> > > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
>> > > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] >> > > > > {newACEUser};
>> > > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
>> > > > > ManagementBaseObject inParams = null;
>> > > > > inParams =
>> > > > >
>> > LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); >> > > > > inParams["Descriptor"] = Descriptor;
>> > > > > outParams =
>> > > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor", >> > > > > inParams, null);
>> > > > >
>> > > > > // This line is where I get a result back of 1307 in ASP.NET
>> > > > > uint result=
>> > > > > (uint)(outParams.Properties["ReturnValue"].Value);
>> > > > >
>> > > > > LogicalFileSecuritySetting.Dispose();
>> > > > > return true;
>> > > > > }
>> > > > > catch(Exception exp)
>> > > > > {
>> > > > > throw exp;
>> > > > > }
>> > > > > }
>> > > > >
>> > > > >
>> > > > > Logs:
>> > > > > ----------------------------
>> > > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
>> > > > > ----------------------------
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:06.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:06.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:06.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:07.968 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:07.984 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:07.984 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.000 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.218 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.218 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.312 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.312 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>



Nov 16 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.