471,320 Members | 2,068 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,320 software developers and data experts.

Translate BUILTIN to domain name

Hello group

I'm trying to list the users and groups who has read access to a file.

I use .NET 2.0 and FileInfo.GetAccessControl().GetAccessRules(...) and then
loop through the FileSystemAccessRule objects. Using these objects, it is
easy to use rule.IdentityReference.Translate(typeof(NTAccount) ) to get the
NTAccount object.

I have noticed that some of the NTAccounts can belong to BUILTIN domains,
e.g. BUILTIN\Users. I need to translate this BUILTIN domain name to an
actual computer or domain name. Just like it is done when I click on the
Security tab of the file property dialog.

If it is on my local computer, I guess that I sould just translate it into
the local computer name. However, what should I do if it is on a remote
computer? If the remote computer is a Domain controller, it looks as if I
should translate it to <DOMAIN>\Users instead of <COMPUTERNAME>\Users.

My problem is, that i don't know if the file is a local file or on a remote
computer. And if I could fint out if it is a local or remote file, how do I
find out if it is on the domain controller?

If this is the wrong group to ask, then please let me know.

Thank you for your help

Regards
Anders
Feb 9 '06 #1
6 5334
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local (or
another) domain name.

/LM
"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:uy*************@TK2MSFTNGP09.phx.gbl...
Hello group

I'm trying to list the users and groups who has read access to a file.

I use .NET 2.0 and FileInfo.GetAccessControl().GetAccessRules(...) and
then loop through the FileSystemAccessRule objects. Using these objects,
it is easy to use rule.IdentityReference.Translate(typeof(NTAccount) ) to
get the NTAccount object.

I have noticed that some of the NTAccounts can belong to BUILTIN domains,
e.g. BUILTIN\Users. I need to translate this BUILTIN domain name to an
actual computer or domain name. Just like it is done when I click on the
Security tab of the file property dialog.

If it is on my local computer, I guess that I sould just translate it into
the local computer name. However, what should I do if it is on a remote
computer? If the remote computer is a Domain controller, it looks as if I
should translate it to <DOMAIN>\Users instead of <COMPUTERNAME>\Users.

My problem is, that i don't know if the file is a local file or on a
remote computer. And if I could fint out if it is a local or remote file,
how do I find out if it is on the domain controller?

If this is the wrong group to ask, then please let me know.

Thank you for your help

Regards
Anders

Feb 9 '06 #2
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:eS**************@TK2MSFTNGP09.phx.gbl...
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local
(or another) domain name.


Thank you for your answer.

Let me see if I can explain my problem better.

Assume that a file (FILE1) is stored on SERVER1. BUILTIN\Users on SERVER1 is
allowed to read this file. When I inspect the file, I read this information.

On another computer COMPUTER2, I find that USER2 is a member of
BUILTIN\Users on this computer, but USER2 is NOT a memeber of BUILTIN\Users
on SERVER1.

Now I would like to find out if USER2 is allowed to read FILE1. My problem
is, that I can't use the normal Windows mechansims to decide this question.
So I would like to be able to compare users and groups between computers and
servers. If I just compare BUILTIN\Users with BUILTIN\Users, I find that
USER2 is allowed to read FILE1 which is wrong. However if I could translate
BUILTIN\Users on SERVER1 to SERVER1\Users and BUILTIN\Users on COMPUTER2 to
COMPUTER2\Users, I would be able to decide that USER2 is not allowed to read
FILE1

Regards
Anders
Feb 10 '06 #3
But it is not that simple. USER2 can member of a global group that is itself
member of BUILTIN\Users. In general you cannot decide based on such simple
comparison. You must impersonate USER2 and try to access the file and let
Windows decide if USER2 has access or not...

/LM

"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:u3**************@tk2msftngp13.phx.gbl...
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:eS**************@TK2MSFTNGP09.phx.gbl...
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local
(or another) domain name.


Thank you for your answer.

Let me see if I can explain my problem better.

Assume that a file (FILE1) is stored on SERVER1. BUILTIN\Users on SERVER1
is allowed to read this file. When I inspect the file, I read this
information.

On another computer COMPUTER2, I find that USER2 is a member of
BUILTIN\Users on this computer, but USER2 is NOT a memeber of
BUILTIN\Users on SERVER1.

Now I would like to find out if USER2 is allowed to read FILE1. My problem
is, that I can't use the normal Windows mechansims to decide this
question. So I would like to be able to compare users and groups between
computers and servers. If I just compare BUILTIN\Users with BUILTIN\Users,
I find that USER2 is allowed to read FILE1 which is wrong. However if I
could translate BUILTIN\Users on SERVER1 to SERVER1\Users and
BUILTIN\Users on COMPUTER2 to COMPUTER2\Users, I would be able to decide
that USER2 is not allowed to read FILE1

Regards
Anders

Feb 10 '06 #4
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:Oh**************@TK2MSFTNGP10.phx.gbl...
But it is not that simple. USER2 can member of a global group that is
itself member of BUILTIN\Users. In general you cannot decide based on such
simple comparison. You must impersonate USER2 and try to access the file
and let Windows decide if USER2 has access or not...


My problem is, that I can't use Windows to decide if USER2 has access to the
file. I need to decide this using string comparisons. I'm doing the
comparisons in another application that knows nothing about windows and
authentication.

When USER2 tries to access the file through my system (a webpage), I will
enumerate all the groups that USER2 belongs to. I'm using Integrated Windows
Authentication on the webbrowser, so this is done while I'm impersonating
USER2, so it will recursively list all groups that USER2 belongs to. When I
know all groups that USER2 belongs to, I can compare this list with the list
of users/groups that is allowed to read the file.

But you have a point: This enumeration will probably only list the groups
that are available on the webserver. Therefore it will not contain
BUILTIN\Users on SERVER1 if the webserver is not running on SERVER1.

I'm beginning to think, that it is not possible to achieve all the things
that I want to be able to do.

Regards
Anders
Feb 13 '06 #5
Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the IsInRole
method to check (deeply) if the user is part of that group.

/LM

"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:eF**************@TK2MSFTNGP14.phx.gbl...
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:Oh**************@TK2MSFTNGP10.phx.gbl...
But it is not that simple. USER2 can member of a global group that is
itself member of BUILTIN\Users. In general you cannot decide based on
such simple comparison. You must impersonate USER2 and try to access the
file and let Windows decide if USER2 has access or not...


My problem is, that I can't use Windows to decide if USER2 has access to
the file. I need to decide this using string comparisons. I'm doing the
comparisons in another application that knows nothing about windows and
authentication.

When USER2 tries to access the file through my system (a webpage), I will
enumerate all the groups that USER2 belongs to. I'm using Integrated
Windows Authentication on the webbrowser, so this is done while I'm
impersonating USER2, so it will recursively list all groups that USER2
belongs to. When I know all groups that USER2 belongs to, I can compare
this list with the list of users/groups that is allowed to read the file.

But you have a point: This enumeration will probably only list the groups
that are available on the webserver. Therefore it will not contain
BUILTIN\Users on SERVER1 if the webserver is not running on SERVER1.

I'm beginning to think, that it is not possible to achieve all the things
that I want to be able to do.

Regards
Anders

Feb 13 '06 #6
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:ud**************@TK2MSFTNGP09.phx.gbl...
Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the
IsInRole method to check (deeply) if the user is part of that group.


Yes, that is probably true.

Thank you for your help. You have given me something to think about and some
new dirrections to look.

Regards
Anders
Feb 14 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Blair Hall | last post: by
2 posts views Thread by BJörn Lindqvist | last post: by
1 post views Thread by Stephen Ferg | last post: by
1 post views Thread by Xeon | last post: by
4 posts views Thread by Gadrin77 | last post: by
2 posts views Thread by Krustov | last post: by
2 posts views Thread by =?Utf-8?B?QWxleGV5IFlha292bGV2?= | last post: by
reply views Thread by rosydwin | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.