Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179]

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163
] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179
]

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/U...ampleGuid=e609 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little bit and it seemed to work. Are there any issues with using this namespace?

Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;
AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED; switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting

to WMI, however, ASPNET has no privileges to change the filesystem object ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code), - or, run this from a server type COM+ application, using a power user's identity.
I would also suggest to use the System.DirectoryServices namespace (and add

a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way you don't have to add System.Management stuff to your code, and you don't have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Kn...icles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.
public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}
Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ] Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 ] Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ]

Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp http://msdn.microsoft.com/library/de...SecNetAP05.asp http://msdn.microsoft.com/library/de...itysection.asp

"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/U...ampleGuid=e609

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a

little

bit and it seemed to work. Are there any issues with using this

namespace?

Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =

(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType =

(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;

switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT | (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting to WMI, however, ASPNET has no privileges to change the filesystem object ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code), - or, run this from a server type COM+ application, using a power user's identity.
I would also suggest to use the System.DirectoryServices namespace (and add

a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way you don't have to add System.Management stuff to your code, and you don't have to care about WMI security settings.
Willy.

"Ben Dewey" <bd******@hotmail.com> wrote in message
news:a7***********************@posting.google.com. ..
> Project:
> ----------------------------
>
> I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
> utilizing ActiveDirectory and windows security to manage the
> permissions. Why reinvent the wheel, right? Everything so far is
> working well with the Active Directory. The problem I am having is
> with adding File Permissions to a directory. I am currently using
> some code courtesy of "Willy Denoyette [MVP]"
>
> Problem:
> ----------------------------
>
> When I try to add user permissions to a specific folder using the

same > code in a sample console app it works correctly. When I execute the
> code from ASP.NET I get a return code of 1307, everytime.
>
> Which means - 1307 This security ID may not be assigned as the owner
> of this object.
> (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
>
> Can anyone tell me why this is happening? Willy?
>
> Environment:
> ----------------------------
>
> I am developing with Framework 1.1 and Windows XP. The users are
> coming from AD on a Windows 2003 Server.
>
> I have given ASPNET object full access to the folder C:\test. I have > also give ASPNET object full access to Root/CIMV2 in
> CompMgmt.msc/Services and Apps/WMI Control
>
> Code:
> ----------------------------
> The DsSettings Object is just a simple class tht contains the Login
> and Path information for LDAP.
>
>
> public bool GrantPermission(string username, string domain, DsSettings > settings)
> {
> try
> {
>
> byte[] bSid = (byte[])DsWrapper.GetUser(username,
> settings).DsEntry.Properties["objectSID"].Value;
> ManagementObject LogicalFileSecuritySetting = new
> ManagementObject( new ManagementPath(
> @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> ManagementBaseObject outParams;
> outParams =
> LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> null, null);
>
> ManagementBaseObject Descriptor =
> ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
> ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> Descriptor.Properties["DACL"].Value ) );
>
> ManagementObject newTrusteeUser = ( new ManagementClass(
> @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> newTrusteeUser["Domain"] = domain;
> newTrusteeUser["Name"] = username;
> newTrusteeUser["SID"] = bSid;
>
> ManagementObject newACEUser = ( new ManagementClass(
> @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> newACEUser["Trustee"] = newTrusteeUser;
> newACEUser["AceFlags"] = 3;
> newACEUser["AceType"] = 0;
> newACEUser["AccessMask"] = 2032127;// Full Access Mask
> ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> {newACEUser};
> Descriptor.Properties["DACL"].Value = DACLObjectNew;
> ManagementBaseObject inParams = null;
> inParams =
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > inParams["Descriptor"] = Descriptor;
> outParams =
> LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> inParams, null);
>
> // This line is where I get a result back of 1307 in ASP.NET
> uint result= (uint)(outParams.Properties["ReturnValue"].Value);
>
> LogicalFileSecuritySetting.Dispose();
> return true;
> }
> catch(Exception exp)
> {
> throw exp;
> }
> }
>
>
> Logs:
> ----------------------------
> C:\WINDOWS\system32\WBEM\Logs\Framework.log
> ----------------------------
> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:06.093 thread:1916
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 ]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:06.203 thread:2540
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:06.203 thread:2540
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:07.968 thread:1916
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:07.984 thread:1916
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:07.984 thread:1916
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.000 thread:1916
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.093 thread:1916
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.093 thread:1916
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.203 thread:2540
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.203 thread:2540
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.218 thread:2540
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.218 thread:2540
>

]

> Shell Name Explorer.exe in Registry not found in process
> list. 05/06/2004 09:39:08.312 thread:2540
>

]

> Unable to locate Shell Process, Impersonation failed. 05/06/2004
> 09:39:08.312 thread:2540
>

]

Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...

Check 'em out

"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?
Also, have you ever heard of the Microsoft.Win32.Security Namespace

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a

little

bit and it seemed to work. Are there any issues with using this

namespace?

Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned // object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =

(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;

newAce.AceType =

(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;

switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT | (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
}

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:e0**************@tk2msftngp13.phx.gbl...
> Ben,
>
> Your code run's as "ASPNET" and uses ASPNET's access token when

connecting

> to WMI, however, ASPNET has no privileges to change the filesystem

object

> ACL's.
> So you need to run this code with elevated privileges, here you have a > number of options:
> - or, impersonate a power user (using your web config file, or in

code),

> - or, run this from a server type COM+ application, using a power

user's

> identity.
> I would also suggest to use the System.DirectoryServices namespace (and add
> a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that

way

> you don't have to add System.Management stuff to your code, and you

don't

> have to care about WMI security settings.
>
>
> Willy.
>
> "Ben Dewey" <bd******@hotmail.com> wrote in message
> news:a7***********************@posting.google.com. ..
> > Project:
> > ----------------------------
> >
> > I am creating a HTTPS File Transfer App using ASP.NET and C#. I

am > > utilizing ActiveDirectory and windows security to manage the
> > permissions. Why reinvent the wheel, right? Everything so far is
> > working well with the Active Directory. The problem I am having is > > with adding File Permissions to a directory. I am currently using
> > some code courtesy of "Willy Denoyette [MVP]"
> >
> > Problem:
> > ----------------------------
> >
> > When I try to add user permissions to a specific folder using the

same > > code in a sample console app it works correctly. When I execute the > > code from ASP.NET I get a return code of 1307, everytime.
> >
> > Which means - 1307 This security ID may not be assigned as the owner > > of this object.
> > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> >
> > Can anyone tell me why this is happening? Willy?
> >
> > Environment:
> > ----------------------------
> >
> > I am developing with Framework 1.1 and Windows XP. The users are
> > coming from AD on a Windows 2003 Server.
> >
> > I have given ASPNET object full access to the folder C:\test. I have > > also give ASPNET object full access to Root/CIMV2 in
> > CompMgmt.msc/Services and Apps/WMI Control
> >
> > Code:
> > ----------------------------
> > The DsSettings Object is just a simple class tht contains the Login > > and Path information for LDAP.
> >
> >
> > public bool GrantPermission(string username, string domain, DsSettings > > settings)
> > {
> > try
> > {
> >
> > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > settings).DsEntry.Properties["objectSID"].Value;
> > ManagementObject LogicalFileSecuritySetting = new
> > ManagementObject( new ManagementPath(
> > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> > ManagementBaseObject outParams;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > null, null);
> >
> > ManagementBaseObject Descriptor =
> > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> > Descriptor.Properties["DACL"].Value ) );
> >
> > ManagementObject newTrusteeUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > newTrusteeUser["Domain"] = domain;
> > newTrusteeUser["Name"] = username;
> > newTrusteeUser["SID"] = bSid;
> >
> > ManagementObject newACEUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > newACEUser["Trustee"] = newTrusteeUser;
> > newACEUser["AceFlags"] = 3;
> > newACEUser["AceType"] = 0;
> > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> > {newACEUser};
> > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > ManagementBaseObject inParams = null;
> > inParams =
> >

LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");

> > inParams["Descriptor"] = Descriptor;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > inParams, null);
> >
> > // This line is where I get a result back of 1307 in ASP.NET
> > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> >
> > LogicalFileSecuritySetting.Dispose();
> > return true;
> > }
> > catch(Exception exp)
> > {
> > throw exp;
> > }
> > }
> >
> >
> > Logs:
> > ----------------------------
> > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > ----------------------------
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.093 thread:1916
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:06.203 thread:2540
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.203 thread:2540
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.968 thread:1916
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:07.984 thread:1916
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.984 thread:1916
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.000 thread:1916
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.093 thread:1916
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.093 thread:1916
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.203 thread:2540
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.203 thread:2540
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.218 thread:2540
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.218 thread:2540
> >

]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.312 thread:2540
> >

]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.312 thread:2540
> >

]
>
>

One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...

Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...

> Check 'em out
>
>

http://msdn.microsoft.com/library/de...ersonation.asp

>

http://msdn.microsoft.com/library/de...SecNetAP05.asp

>

http://msdn.microsoft.com/library/de...itysection.asp

>
>
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:Ob**************@TK2MSFTNGP12.phx.gbl...
> > Willy,
> >
> > How do I set up the impersonation through web.config?
> >
> > I tried using this code below, but I kept getting a "The security ID
> > structure is invalid." error. Is this what you were talking about

doing?

> >
> > Also, have you ever heard of the Microsoft.Win32.Security Namespace
> >
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609

> > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
> little
> > bit and it seemed to work. Are there any issues with using this
> namespace?
> >
> >
> > Code:
> > --------------------------------------
> > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> > object secuDesc = secuUtil.GetSecurityDescriptor(
> > this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > if (secuDesc != null)
> > {
> > // Since we asked for ADS_SD_FORMAT_IID format, that means the returned > > // object is IADsSecurityDescriptor. So we can use the methods on
> > this
> > // object to get more information about the secutity descrptor.
> > ActiveDs.IADsSecurityDescriptor folderSD =
> (IADsSecurityDescriptor)secuDesc;
> >
> > AccessControlEntry newAce = new AccessControlEntryClass();
> > ActiveDs.IADsAccessControlList folderAcl =
> > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
> >
> > newAce.AceType =
> (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> > switch (permissionType)
> > {
> > case DsPermissionTypes.Read:
> > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> > break;
> > case DsPermissionTypes.Write:
> > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> > DsPermissions.FILE_ADD_SUBDIRECTORY;
> > break;
> > case DsPermissionTypes.Delete:
> > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> > DsPermissions.FILE_TRAVERSE;
> > break;
> > case DsPermissionTypes.ChangePermissions:
> > newAce.AccessMask = DsPermissions.WRITE_DAC |
> > DsPermissions.READ_CONTROL;
> > break;
> > }
> >
> > newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; > >

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT

> > |

(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;

> >
> > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> > newAce.Trustee = @"bdewey";
> > newAce.AccessMask = -1;
> >
> > string trustee = (domain==null)?username:domain + @"\" + username;
> > newAce.Trustee = trustee;
> >
> > folderAcl.AddAce(newAce);
> > folderSD.DiscretionaryAcl = folderAcl;
> >
> > secuUtil.SetSecurityDescriptor(this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > folderSD,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > }
> >
> > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
> > news:e0**************@tk2msftngp13.phx.gbl...
> > > Ben,
> > >
> > > Your code run's as "ASPNET" and uses ASPNET's access token when
> connecting
> > > to WMI, however, ASPNET has no privileges to change the filesystem
> object
> > > ACL's.
> > > So you need to run this code with elevated privileges, here you
> > > have a > > > number of options:
> > > - or, impersonate a power user (using your web config file, or in
> code),
> > > - or, run this from a server type COM+ application, using a power
> user's
> > > identity.
> > > I would also suggest to use the System.DirectoryServices namespace

(and

> > add
> > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that > way
> > > you don't have to add System.Management stuff to your code, and you
> don't
> > > have to care about WMI security settings.
> > >
> > >
> > > Willy.
> > >
> > > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > > news:a7***********************@posting.google.com. ..
> > > > Project:
> > > > ----------------------------
> > > >
> > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I am > > > > utilizing ActiveDirectory and windows security to manage the
> > > > permissions. Why reinvent the wheel, right? Everything so far
> > > > is
> > > > working well with the Active Directory. The problem I am having is > > > > with adding File Permissions to a directory. I am currently
> > > > using
> > > > some code courtesy of "Willy Denoyette [MVP]"
> > > >
> > > > Problem:
> > > > ----------------------------
> > > >
> > > > When I try to add user permissions to a specific folder using the

same

> > > > code in a sample console app it works correctly. When I execute the > > > > code from ASP.NET I get a return code of 1307, everytime.
> > > >
> > > > Which means - 1307 This security ID may not be assigned as the owner > > > > of this object.
> > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > > >
> > > > Can anyone tell me why this is happening? Willy?
> > > >
> > > > Environment:
> > > > ----------------------------
> > > >
> > > > I am developing with Framework 1.1 and Windows XP. The users are
> > > > coming from AD on a Windows 2003 Server.
> > > >
> > > > I have given ASPNET object full access to the folder C:\test. I

have

> > > > also give ASPNET object full access to Root/CIMV2 in
> > > > CompMgmt.msc/Services and Apps/WMI Control
> > > >
> > > > Code:
> > > > ----------------------------
> > > > The DsSettings Object is just a simple class tht contains the Login > > > > and Path information for LDAP.
> > > >
> > > >
> > > > public bool GrantPermission(string username, string domain,

DsSettings

> > > > settings)
> > > > {
> > > > try
> > > > {
> > > >
> > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > > settings).DsEntry.Properties["objectSID"].Value;
> > > > ManagementObject LogicalFileSecuritySetting = new
> > > > ManagementObject( new ManagementPath(
> > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") );
> > > > ManagementBaseObject outParams;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > > > null, null);
> > > >
> > > > ManagementBaseObject Descriptor =
> > > > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> > > > Descriptor.Properties["DACL"].Value ) );
> > > >
> > > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > > newTrusteeUser["Domain"] = domain;
> > > > newTrusteeUser["Name"] = username;
> > > > newTrusteeUser["SID"] = bSid;
> > > >
> > > > ManagementObject newACEUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > > newACEUser["Trustee"] = newTrusteeUser;
> > > > newACEUser["AceFlags"] = 3;
> > > > newACEUser["AceType"] = 0;
> > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> > > > {newACEUser};
> > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > > ManagementBaseObject inParams = null;
> > > > inParams =
> > > >
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor");
> > > > inParams["Descriptor"] = Descriptor;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > > > inParams, null);
> > > >
> > > > // This line is where I get a result back of 1307 in ASP.NET
> > > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > > >
> > > > LogicalFileSecuritySetting.Dispose();
> > > > return true;
> > > > }
> > > > catch(Exception exp)
> > > > {
> > > > throw exp;
> > > > }
> > > > }
> > > >
> > > >
> > > > Logs:
> > > > ----------------------------
> > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > > ----------------------------
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:06.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.968 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.000 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > > 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > >
> > >
> >
> >
>
>

One more question in regards to this. I was able to add a permission. Now, what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...

Thanks alot guys it worked. I set up to impersonate the admin account and

this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...

Check 'em out

http://msdn.microsoft.com/library/de...ersonation.asp

http://msdn.microsoft.com/library/de...SecNetAP05.asp

http://msdn.microsoft.com/library/de...itysection.asp

"Ben Dewey" <be*******@scientiae.com> wrote in message
news:Ob**************@TK2MSFTNGP12.phx.gbl...
> Willy,
>
> How do I set up the impersonation through web.config?
>
> I tried using this code below, but I kept getting a "The security ID
> structure is invalid." error. Is this what you were talking about

doing?

>
> Also, have you ever heard of the Microsoft.Win32.Security Namespace
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609

> 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
little
> bit and it seemed to work. Are there any issues with using this
namespace?
>
>
> Code:
> --------------------------------------
> ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> object secuDesc = secuUtil.GetSecurityDescriptor(
> this.FolderName,
> (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> if (secuDesc != null)
> {
> // Since we asked for ADS_SD_FORMAT_IID format, that means the returned > // object is IADsSecurityDescriptor. So we can use the methods on this > // object to get more information about the secutity descrptor.
> ActiveDs.IADsSecurityDescriptor folderSD =
(IADsSecurityDescriptor)secuDesc;
>
> AccessControlEntry newAce = new AccessControlEntryClass();
> ActiveDs.IADsAccessControlList folderAcl =
> (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
>
> newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> switch (permissionType)
> {
> case DsPermissionTypes.Read:
> newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> break;
> case DsPermissionTypes.Write:
> newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> DsPermissions.FILE_ADD_SUBDIRECTORY;
> break;
> case DsPermissionTypes.Delete:
> newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> DsPermissions.FILE_TRAVERSE;
> break;
> case DsPermissionTypes.ChangePermissions:
> newAce.AccessMask = DsPermissions.WRITE_DAC |
> DsPermissions.READ_CONTROL;
> break;
> }
>
> newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE; >

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT

> |

(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;

>
> newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> newAce.Trustee = @"bdewey";
> newAce.AccessMask = -1;
>
> string trustee = (domain==null)?username:domain + @"\" + username;
> newAce.Trustee = trustee;
>
> folderAcl.AddAce(newAce);
> folderSD.DiscretionaryAcl = folderAcl;
>
> secuUtil.SetSecurityDescriptor(this.FolderName,
> (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> folderSD,
> (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> }
>
> "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message > news:e0**************@tk2msftngp13.phx.gbl...
> > Ben,
> >
> > Your code run's as "ASPNET" and uses ASPNET's access token when
connecting
> > to WMI, however, ASPNET has no privileges to change the filesystem
object
> > ACL's.
> > So you need to run this code with elevated privileges, here you have a

> > number of options:
> > - or, impersonate a power user (using your web config file, or in
code),
> > - or, run this from a server type COM+ application, using a power
user's
> > identity.
> > I would also suggest to use the System.DirectoryServices namespace

(and

> add
> > a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
> > you don't have to add System.Management stuff to your code, and

you don't
> > have to care about WMI security settings.
> >
> >
> > Willy.
> >
> > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > news:a7***********************@posting.google.com. ..
> > > Project:
> > > ----------------------------
> > >
> > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I am > > > utilizing ActiveDirectory and windows security to manage the
> > > permissions. Why reinvent the wheel, right? Everything so far is > > > working well with the Active Directory. The problem I am having is > > > with adding File Permissions to a directory. I am currently using > > > some code courtesy of "Willy Denoyette [MVP]"
> > >
> > > Problem:
> > > ----------------------------
> > >
> > > When I try to add user permissions to a specific folder using the same

> > > code in a sample console app it works correctly. When I execute the > > > code from ASP.NET I get a return code of 1307, everytime.
> > >
> > > Which means - 1307 This security ID may not be assigned as the owner > > > of this object.
> > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > >
> > > Can anyone tell me why this is happening? Willy?
> > >
> > > Environment:
> > > ----------------------------
> > >
> > > I am developing with Framework 1.1 and Windows XP. The users

are > > > coming from AD on a Windows 2003 Server.
> > >
> > > I have given ASPNET object full access to the folder C:\test. I

have

> > > also give ASPNET object full access to Root/CIMV2 in
> > > CompMgmt.msc/Services and Apps/WMI Control
> > >
> > > Code:
> > > ----------------------------
> > > The DsSettings Object is just a simple class tht contains the

Login > > > and Path information for LDAP.
> > >
> > >
> > > public bool GrantPermission(string username, string domain,

DsSettings

> > > settings)
> > > {
> > > try
> > > {
> > >
> > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > settings).DsEntry.Properties["objectSID"].Value;
> > > ManagementObject LogicalFileSecuritySetting = new
> > > ManagementObject( new ManagementPath(
> > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); > > > ManagementBaseObject outParams;
> > > outParams =
> > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor",
> > > null, null);
> > >
> > > ManagementBaseObject Descriptor =
> > > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( > > > Descriptor.Properties["DACL"].Value ) );
> > >
> > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > newTrusteeUser["Domain"] = domain;
> > > newTrusteeUser["Name"] = username;
> > > newTrusteeUser["SID"] = bSid;
> > >
> > > ManagementObject newACEUser = ( new ManagementClass(
> > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > newACEUser["Trustee"] = newTrusteeUser;
> > > newACEUser["AceFlags"] = 3;
> > > newACEUser["AceType"] = 0;
> > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] > > > {newACEUser};
> > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > ManagementBaseObject inParams = null;
> > > inParams =
> > >
LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > > > inParams["Descriptor"] = Descriptor;
> > > outParams =
> > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor",
> > > inParams, null);
> > >
> > > // This line is where I get a result back of 1307 in ASP.NET
> > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > >
> > > LogicalFileSecuritySetting.Dispose();
> > > return true;
> > > }
> > > catch(Exception exp)
> > > {
> > > throw exp;
> > > }
> > > }
> > >
> > >
> > > Logs:
> > > ----------------------------
> > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > ----------------------------
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:06.093 thread:1916
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:06.203 thread:2540
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:06.203 thread:2540
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:07.968 thread:1916
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:07.984 thread:1916
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:07.984 thread:1916
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.000 thread:1916
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.093 thread:1916
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.093 thread:1916
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.203 thread:2540
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.203 thread:2540
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.218 thread:2540
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.218 thread:2540
> > >
>

> ]
> > > Shell Name Explorer.exe in Registry not found in process
> > > list. 05/06/2004 09:39:08.312 thread:2540
> > >
>

> ]
> > > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > > 09:39:08.312 thread:2540
> > >
>

> ]
> >
> >
>
>

You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...

One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8*************@tk2msftngp13.phx.gbl...

Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
news:eO**************@TK2MSFTNGP09.phx.gbl...
> Check 'em out
>
>

http://msdn.microsoft.com/library/de...ersonation.asp

>

http://msdn.microsoft.com/library/de...SecNetAP05.asp

>

http://msdn.microsoft.com/library/de.../en-us/cpgenre f/html/gngrfidentitysection.asp

>
>
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:Ob**************@TK2MSFTNGP12.phx.gbl...
> > Willy,
> >
> > How do I set up the impersonation through web.config?
> >
> > I tried using this code below, but I kept getting a "The security ID > > structure is invalid." error. Is this what you were talking about
doing?
> >
> > Also, have you ever heard of the Microsoft.Win32.Security Namespace
> >
>

(http://www.gotdotnet.com/Community/U...ampleGuid=e609

> > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a > little
> > bit and it seemed to work. Are there any issues with using this
> namespace?
> >
> >
> > Code:
> > --------------------------------------
> > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
> > object secuDesc = secuUtil.GetSecurityDescriptor(
> > this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > if (secuDesc != null)
> > {
> > // Since we asked for ADS_SD_FORMAT_IID format, that means the

returned

> > // object is IADsSecurityDescriptor. So we can use the methods on
> > this
> > // object to get more information about the secutity descrptor.
> > ActiveDs.IADsSecurityDescriptor folderSD =
> (IADsSecurityDescriptor)secuDesc;
> >
> > AccessControlEntry newAce = new AccessControlEntryClass();
> > ActiveDs.IADsAccessControlList folderAcl =
> > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
> >
> > newAce.AceType =
> (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
> > switch (permissionType)
> > {
> > case DsPermissionTypes.Read:
> > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
> > break;
> > case DsPermissionTypes.Write:
> > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
> > DsPermissions.FILE_ADD_SUBDIRECTORY;
> > break;
> > case DsPermissionTypes.Delete:
> > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
> > DsPermissions.FILE_TRAVERSE;
> > break;
> > case DsPermissionTypes.ChangePermissions:
> > newAce.AccessMask = DsPermissions.WRITE_DAC |
> > DsPermissions.READ_CONTROL;
> > break;
> > }
> >
> >

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;

> >
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT > > |
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
> >
> > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
> > newAce.Trustee = @"bdewey";
> > newAce.AccessMask = -1;
> >
> > string trustee = (domain==null)?username:domain + @"\" + username;
> > newAce.Trustee = trustee;
> >
> > folderAcl.AddAce(newAce);
> > folderSD.DiscretionaryAcl = folderAcl;
> >
> > secuUtil.SetSecurityDescriptor(this.FolderName,
> > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
> > folderSD,
> > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
> > }
> >
> > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message > > news:e0**************@tk2msftngp13.phx.gbl...
> > > Ben,
> > >
> > > Your code run's as "ASPNET" and uses ASPNET's access token when
> connecting
> > > to WMI, however, ASPNET has no privileges to change the filesystem > object
> > > ACL's.
> > > So you need to run this code with elevated privileges, here you
> > > have

a

> > > number of options:
> > > - or, impersonate a power user (using your web config file, or in > code),
> > > - or, run this from a server type COM+ application, using a power > user's
> > > identity.
> > > I would also suggest to use the System.DirectoryServices namespace (and
> > add
> > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's,

that

> way
> > > you don't have to add System.Management stuff to your code, and you > don't
> > > have to care about WMI security settings.
> > >
> > >
> > > Willy.
> > >
> > > "Ben Dewey" <bd******@hotmail.com> wrote in message
> > > news:a7***********************@posting.google.com. ..
> > > > Project:
> > > > ----------------------------
> > > >
> > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I

am

> > > > utilizing ActiveDirectory and windows security to manage the
> > > > permissions. Why reinvent the wheel, right? Everything so far
> > > > is
> > > > working well with the Active Directory. The problem I am

having

is

> > > > with adding File Permissions to a directory. I am currently
> > > > using
> > > > some code courtesy of "Willy Denoyette [MVP]"
> > > >
> > > > Problem:
> > > > ----------------------------
> > > >
> > > > When I try to add user permissions to a specific folder using

the same
> > > > code in a sample console app it works correctly. When I execute the

> > > > code from ASP.NET I get a return code of 1307, everytime.
> > > >
> > > > Which means - 1307 This security ID may not be assigned as the

owner

> > > > of this object.
> > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
> > > >
> > > > Can anyone tell me why this is happening? Willy?
> > > >
> > > > Environment:
> > > > ----------------------------
> > > >
> > > > I am developing with Framework 1.1 and Windows XP. The users

are > > > > coming from AD on a Windows 2003 Server.
> > > >
> > > > I have given ASPNET object full access to the folder C:\test. I have
> > > > also give ASPNET object full access to Root/CIMV2 in
> > > > CompMgmt.msc/Services and Apps/WMI Control
> > > >
> > > > Code:
> > > > ----------------------------
> > > > The DsSettings Object is just a simple class tht contains the

Login

> > > > and Path information for LDAP.
> > > >
> > > >
> > > > public bool GrantPermission(string username, string domain,
DsSettings
> > > > settings)
> > > > {
> > > > try
> > > > {
> > > >
> > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > > > settings).DsEntry.Properties["objectSID"].Value;
> > > > ManagementObject LogicalFileSecuritySetting = new
> > > > ManagementObject( new ManagementPath(
> > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); > > > > ManagementBaseObject outParams;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor", > > > > null, null);
> > > >
> > > > ManagementBaseObject Descriptor =
> > > >

((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));

> > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( > > > > Descriptor.Properties["DACL"].Value ) );
> > > >
> > > > ManagementObject newTrusteeUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > > > newTrusteeUser["Domain"] = domain;
> > > > newTrusteeUser["Name"] = username;
> > > > newTrusteeUser["SID"] = bSid;
> > > >
> > > > ManagementObject newACEUser = ( new ManagementClass(
> > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > > > newACEUser["Trustee"] = newTrusteeUser;
> > > > newACEUser["AceFlags"] = 3;
> > > > newACEUser["AceType"] = 0;
> > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] > > > > {newACEUser};
> > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > > > ManagementBaseObject inParams = null;
> > > > inParams =
> > > >
> LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); > > > > inParams["Descriptor"] = Descriptor;
> > > > outParams =
> > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor", > > > > inParams, null);
> > > >
> > > > // This line is where I get a result back of 1307 in ASP.NET
> > > > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> > > >
> > > > LogicalFileSecuritySetting.Dispose();
> > > > return true;
> > > > }
> > > > catch(Exception exp)
> > > > {
> > > > throw exp;
> > > > }
> > > > }
> > > >
> > > >
> > > > Logs:
> > > > ----------------------------
> > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > > > ----------------------------
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:06.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:06.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.968 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:07.984 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.000 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.093 thread:1916
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.203 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.218 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > > > Shell Name Explorer.exe in Registry not found in process
> > > > list. 05/06/2004 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163

> > ]
> > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 > > > > 09:39:08.312 thread:2540
> > > >
> >
>

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179

> > ]
> > >
> > >
> >
> >
>
>

I am assuming that

["AccessMask"].Value & (~Access.Delete);
is the same as
["AccessMask"].Value ^ Access.Delete;

If so I got it right. see my other post.
"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:Oy**************@TK2MSFTNGP12.phx.gbl...

You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.
"Ben Dewey" <be*******@scientiae.com> wrote in message
news:O8**************@TK2MSFTNGP09.phx.gbl...

> One more question in regards to this. I was able to add a permission.
> Now,
> what is the best way to go about revoking permissions? Is there away
> to
> Find the AceEntry then get the Mask and do a
> Mask ! GENERIC_WRITE.
>
> Is there a logical operator to remove a flag?
>
> If this is not possible I am was thinking about
> 1. Finding the AceEntry
> 2. Saving it to a variable.
> 3. Removing the Entry
> 4. Recreating the Entry with the active permissions still available
> 5. Adding the AceEntry back.
>
> Is this good?
> "Ben Dewey" <be*******@scientiae.com> wrote in message
> news:O8*************@tk2msftngp13.phx.gbl...
>> Thanks alot guys it worked. I set up to impersonate the admin account
>> and
>> this code works now. Thanks.
>> "Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
>> news:eO**************@TK2MSFTNGP09.phx.gbl...
>> > Check 'em out
>> >
>> >
>>
> http://msdn.microsoft.com/library/de...ersonation.asp >> >
>>
> http://msdn.microsoft.com/library/de...SecNetAP05.asp >> >
>>
> http://msdn.microsoft.com/library/de.../en-us/cpgenre f/html/gngrfidentitysection.asp >> >
>> >
>> > "Ben Dewey" <be*******@scientiae.com> wrote in message
>> > news:Ob**************@TK2MSFTNGP12.phx.gbl...
>> > > Willy,
>> > >
>> > > How do I set up the impersonation through web.config?
>> > >
>> > > I tried using this code below, but I kept getting a "The security ID >> > > structure is invalid." error. Is this what you were talking about
>> doing?
>> > >
>> > > Also, have you ever heard of the Microsoft.Win32.Security
>> > > Namespace
>> > >
>> >
>>
> (http://www.gotdotnet.com/Community/U...ampleGuid=e609 >> > > 8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a >> > little
>> > > bit and it seemed to work. Are there any issues with using this
>> > namespace?
>> > >
>> > >
>> > > Code:
>> > > --------------------------------------
>> > > ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
>> > > object secuDesc = secuUtil.GetSecurityDescriptor(
>> > > this.FolderName,
>> > > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
>> > > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
>> > > if (secuDesc != null)
>> > > {
>> > > // Since we asked for ADS_SD_FORMAT_IID format, that means the
> returned
>> > > // object is IADsSecurityDescriptor. So we can use the methods on
>> > > this
>> > > // object to get more information about the secutity descrptor.
>> > > ActiveDs.IADsSecurityDescriptor folderSD =
>> > (IADsSecurityDescriptor)secuDesc;
>> > >
>> > > AccessControlEntry newAce = new AccessControlEntryClass();
>> > > ActiveDs.IADsAccessControlList folderAcl =
>> > > (ActiveDs.IADsAccessControlList)folderSD.Discretio naryAcl;
>> > >
>> > > newAce.AceType =
>> > (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED;
>> > > switch (permissionType)
>> > > {
>> > > case DsPermissionTypes.Read:
>> > > newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
>> > > break;
>> > > case DsPermissionTypes.Write:
>> > > newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
>> > > DsPermissions.FILE_ADD_SUBDIRECTORY;
>> > > break;
>> > > case DsPermissionTypes.Delete:
>> > > newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
>> > > DsPermissions.FILE_TRAVERSE;
>> > > break;
>> > > case DsPermissionTypes.ChangePermissions:
>> > > newAce.AccessMask = DsPermissions.WRITE_DAC |
>> > > DsPermissions.READ_CONTROL;
>> > > break;
>> > > }
>> > >
>> > >
> newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS _ACEFLAG_INHERIT_ACE;
>> > >
>> newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_OBJECT_TYPE_PRESENT >> > > |
>> (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED _OBJECT_TYPE_PRESENT;
>> > >
>> > > newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
>> > > newAce.Trustee = @"bdewey";
>> > > newAce.AccessMask = -1;
>> > >
>> > > string trustee = (domain==null)?username:domain + @"\" + username;
>> > > newAce.Trustee = trustee;
>> > >
>> > > folderAcl.AddAce(newAce);
>> > > folderSD.DiscretionaryAcl = folderAcl;
>> > >
>> > > secuUtil.SetSecurityDescriptor(this.FolderName,
>> > > (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
>> > > folderSD,
>> > > (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID );
>> > > }
>> > >
>> > > "Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message >> > > news:e0**************@tk2msftngp13.phx.gbl...
>> > > > Ben,
>> > > >
>> > > > Your code run's as "ASPNET" and uses ASPNET's access token when
>> > connecting
>> > > > to WMI, however, ASPNET has no privileges to change the filesystem >> > object
>> > > > ACL's.
>> > > > So you need to run this code with elevated privileges, here you
>> > > > have
> a
>> > > > number of options:
>> > > > - or, impersonate a power user (using your web config file, or in >> > code),
>> > > > - or, run this from a server type COM+ application, using a power >> > user's
>> > > > identity.
>> > > > I would also suggest to use the System.DirectoryServices namespace >> (and
>> > > add
>> > > > a reference to Activeds.tlb) instead of WMI to manage FS ACL's,
> that
>> > way
>> > > > you don't have to add System.Management stuff to your code, and you >> > don't
>> > > > have to care about WMI security settings.
>> > > >
>> > > >
>> > > > Willy.
>> > > >
>> > > > "Ben Dewey" <bd******@hotmail.com> wrote in message
>> > > > news:a7***********************@posting.google.com. ..
>> > > > > Project:
>> > > > > ----------------------------
>> > > > >
>> > > > > I am creating a HTTPS File Transfer App using ASP.NET and C#. I > am
>> > > > > utilizing ActiveDirectory and windows security to manage the
>> > > > > permissions. Why reinvent the wheel, right? Everything so
>> > > > > far
>> > > > > is
>> > > > > working well with the Active Directory. The problem I am having > is
>> > > > > with adding File Permissions to a directory. I am currently
>> > > > > using
>> > > > > some code courtesy of "Willy Denoyette [MVP]"
>> > > > >
>> > > > > Problem:
>> > > > > ----------------------------
>> > > > >
>> > > > > When I try to add user permissions to a specific folder using the >> same
>> > > > > code in a sample console app it works correctly. When I execute > the
>> > > > > code from ASP.NET I get a return code of 1307, everytime.
>> > > > >
>> > > > > Which means - 1307 This security ID may not be assigned as the
> owner
>> > > > > of this object.
>> > > > > (http://www.hiteksoftware.com/mize/Kn...icles/049.htm).
>> > > > >
>> > > > > Can anyone tell me why this is happening? Willy?
>> > > > >
>> > > > > Environment:
>> > > > > ----------------------------
>> > > > >
>> > > > > I am developing with Framework 1.1 and Windows XP. The users are >> > > > > coming from AD on a Windows 2003 Server.
>> > > > >
>> > > > > I have given ASPNET object full access to the folder C:\test. I >> have
>> > > > > also give ASPNET object full access to Root/CIMV2 in
>> > > > > CompMgmt.msc/Services and Apps/WMI Control
>> > > > >
>> > > > > Code:
>> > > > > ----------------------------
>> > > > > The DsSettings Object is just a simple class tht contains the
> Login
>> > > > > and Path information for LDAP.
>> > > > >
>> > > > >
>> > > > > public bool GrantPermission(string username, string domain,
>> DsSettings
>> > > > > settings)
>> > > > > {
>> > > > > try
>> > > > > {
>> > > > >
>> > > > > byte[] bSid = (byte[])DsWrapper.GetUser(username,
>> > > > > settings).DsEntry.Properties["objectSID"].Value;
>> > > > > ManagementObject LogicalFileSecuritySetting = new
>> > > > > ManagementObject( new ManagementPath(
>> > > > > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path ='c:\\test'") ); >> > > > > ManagementBaseObject outParams;
>> > > > > outParams =
>> > > > > LogicalFileSecuritySetting.InvokeMethod("GetSecuri tyDescriptor", >> > > > > null, null);
>> > > > >
>> > > > > ManagementBaseObject Descriptor =
>> > > > >
> ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
>> > > > > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )( >> > > > > Descriptor.Properties["DACL"].Value ) );
>> > > > >
>> > > > > ManagementObject newTrusteeUser = ( new ManagementClass(
>> > > > > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
>> > > > > newTrusteeUser["Domain"] = domain;
>> > > > > newTrusteeUser["Name"] = username;
>> > > > > newTrusteeUser["SID"] = bSid;
>> > > > >
>> > > > > ManagementObject newACEUser = ( new ManagementClass(
>> > > > > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
>> > > > > newACEUser["Trustee"] = newTrusteeUser;
>> > > > > newACEUser["AceFlags"] = 3;
>> > > > > newACEUser["AceType"] = 0;
>> > > > > newACEUser["AccessMask"] = 2032127;// Full Access Mask
>> > > > > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[] >> > > > > {newACEUser};
>> > > > > Descriptor.Properties["DACL"].Value = DACLObjectNew;
>> > > > > ManagementBaseObject inParams = null;
>> > > > > inParams =
>> > > > >
>> > LogicalFileSecuritySetting.GetMethodParameters("Se tSecurityDescriptor"); >> > > > > inParams["Descriptor"] = Descriptor;
>> > > > > outParams =
>> > > > > LogicalFileSecuritySetting.InvokeMethod("SetSecuri tyDescriptor", >> > > > > inParams, null);
>> > > > >
>> > > > > // This line is where I get a result back of 1307 in ASP.NET
>> > > > > uint result=
>> > > > > (uint)(outParams.Properties["ReturnValue"].Value);
>> > > > >
>> > > > > LogicalFileSecuritySetting.Dispose();
>> > > > > return true;
>> > > > > }
>> > > > > catch(Exception exp)
>> > > > > {
>> > > > > throw exp;
>> > > > > }
>> > > > > }
>> > > > >
>> > > > >
>> > > > > Logs:
>> > > > > ----------------------------
>> > > > > C:\WINDOWS\system32\WBEM\Logs\Framework.log
>> > > > > ----------------------------
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:06.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:06.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:06.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:07.968 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:07.984 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:07.984 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.000 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.093 thread:1916
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.203 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.218 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.218 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > > > Shell Name Explorer.exe in Registry not found in process
>> > > > > list. 05/06/2004 09:39:08.312 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.163 >> > > ]
>> > > > > Unable to locate Shell Process, Impersonation failed. 05/06/2004 >> > > > > 09:39:08.312 thread:2540
>> > > > >
>> > >
>> >
>>
> [d:\xpsp1\admin\wmi\wbem\providers\win32provider\co mmon\implogonuser.cpp.179 >> > > ]
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>