473,386 Members | 1,973 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Translate BUILTIN to domain name

Hello group

I'm trying to list the users and groups who has read access to a file.

I use .NET 2.0 and FileInfo.GetAccessControl().GetAccessRules(...) and then
loop through the FileSystemAccessRule objects. Using these objects, it is
easy to use rule.IdentityReference.Translate(typeof(NTAccount) ) to get the
NTAccount object.

I have noticed that some of the NTAccounts can belong to BUILTIN domains,
e.g. BUILTIN\Users. I need to translate this BUILTIN domain name to an
actual computer or domain name. Just like it is done when I click on the
Security tab of the file property dialog.

If it is on my local computer, I guess that I sould just translate it into
the local computer name. However, what should I do if it is on a remote
computer? If the remote computer is a Domain controller, it looks as if I
should translate it to <DOMAIN>\Users instead of <COMPUTERNAME>\Users.

My problem is, that i don't know if the file is a local file or on a remote
computer. And if I could fint out if it is a local or remote file, how do I
find out if it is on the domain controller?

If this is the wrong group to ask, then please let me know.

Thank you for your help

Regards
Anders
Feb 9 '06 #1
6 5523
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local (or
another) domain name.

/LM
"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:uy*************@TK2MSFTNGP09.phx.gbl...
Hello group

I'm trying to list the users and groups who has read access to a file.

I use .NET 2.0 and FileInfo.GetAccessControl().GetAccessRules(...) and
then loop through the FileSystemAccessRule objects. Using these objects,
it is easy to use rule.IdentityReference.Translate(typeof(NTAccount) ) to
get the NTAccount object.

I have noticed that some of the NTAccounts can belong to BUILTIN domains,
e.g. BUILTIN\Users. I need to translate this BUILTIN domain name to an
actual computer or domain name. Just like it is done when I click on the
Security tab of the file property dialog.

If it is on my local computer, I guess that I sould just translate it into
the local computer name. However, what should I do if it is on a remote
computer? If the remote computer is a Domain controller, it looks as if I
should translate it to <DOMAIN>\Users instead of <COMPUTERNAME>\Users.

My problem is, that i don't know if the file is a local file or on a
remote computer. And if I could fint out if it is a local or remote file,
how do I find out if it is on the domain controller?

If this is the wrong group to ask, then please let me know.

Thank you for your help

Regards
Anders

Feb 9 '06 #2
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:eS**************@TK2MSFTNGP09.phx.gbl...
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local
(or another) domain name.


Thank you for your answer.

Let me see if I can explain my problem better.

Assume that a file (FILE1) is stored on SERVER1. BUILTIN\Users on SERVER1 is
allowed to read this file. When I inspect the file, I read this information.

On another computer COMPUTER2, I find that USER2 is a member of
BUILTIN\Users on this computer, but USER2 is NOT a memeber of BUILTIN\Users
on SERVER1.

Now I would like to find out if USER2 is allowed to read FILE1. My problem
is, that I can't use the normal Windows mechansims to decide this question.
So I would like to be able to compare users and groups between computers and
servers. If I just compare BUILTIN\Users with BUILTIN\Users, I find that
USER2 is allowed to read FILE1 which is wrong. However if I could translate
BUILTIN\Users on SERVER1 to SERVER1\Users and BUILTIN\Users on COMPUTER2 to
COMPUTER2\Users, I would be able to decide that USER2 is not allowed to read
FILE1

Regards
Anders
Feb 10 '06 #3
But it is not that simple. USER2 can member of a global group that is itself
member of BUILTIN\Users. In general you cannot decide based on such simple
comparison. You must impersonate USER2 and try to access the file and let
Windows decide if USER2 has access or not...

/LM

"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:u3**************@tk2msftngp13.phx.gbl...
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:eS**************@TK2MSFTNGP09.phx.gbl...
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local
(or another) domain name.


Thank you for your answer.

Let me see if I can explain my problem better.

Assume that a file (FILE1) is stored on SERVER1. BUILTIN\Users on SERVER1
is allowed to read this file. When I inspect the file, I read this
information.

On another computer COMPUTER2, I find that USER2 is a member of
BUILTIN\Users on this computer, but USER2 is NOT a memeber of
BUILTIN\Users on SERVER1.

Now I would like to find out if USER2 is allowed to read FILE1. My problem
is, that I can't use the normal Windows mechansims to decide this
question. So I would like to be able to compare users and groups between
computers and servers. If I just compare BUILTIN\Users with BUILTIN\Users,
I find that USER2 is allowed to read FILE1 which is wrong. However if I
could translate BUILTIN\Users on SERVER1 to SERVER1\Users and
BUILTIN\Users on COMPUTER2 to COMPUTER2\Users, I would be able to decide
that USER2 is not allowed to read FILE1

Regards
Anders

Feb 10 '06 #4
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:Oh**************@TK2MSFTNGP10.phx.gbl...
But it is not that simple. USER2 can member of a global group that is
itself member of BUILTIN\Users. In general you cannot decide based on such
simple comparison. You must impersonate USER2 and try to access the file
and let Windows decide if USER2 has access or not...


My problem is, that I can't use Windows to decide if USER2 has access to the
file. I need to decide this using string comparisons. I'm doing the
comparisons in another application that knows nothing about windows and
authentication.

When USER2 tries to access the file through my system (a webpage), I will
enumerate all the groups that USER2 belongs to. I'm using Integrated Windows
Authentication on the webbrowser, so this is done while I'm impersonating
USER2, so it will recursively list all groups that USER2 belongs to. When I
know all groups that USER2 belongs to, I can compare this list with the list
of users/groups that is allowed to read the file.

But you have a point: This enumeration will probably only list the groups
that are available on the webserver. Therefore it will not contain
BUILTIN\Users on SERVER1 if the webserver is not running on SERVER1.

I'm beginning to think, that it is not possible to achieve all the things
that I want to be able to do.

Regards
Anders
Feb 13 '06 #5
Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the IsInRole
method to check (deeply) if the user is part of that group.

/LM

"Anders K. Olsen" <ak*****@hotmail.com> wrote in message
news:eF**************@TK2MSFTNGP14.phx.gbl...
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:Oh**************@TK2MSFTNGP10.phx.gbl...
But it is not that simple. USER2 can member of a global group that is
itself member of BUILTIN\Users. In general you cannot decide based on
such simple comparison. You must impersonate USER2 and try to access the
file and let Windows decide if USER2 has access or not...


My problem is, that I can't use Windows to decide if USER2 has access to
the file. I need to decide this using string comparisons. I'm doing the
comparisons in another application that knows nothing about windows and
authentication.

When USER2 tries to access the file through my system (a webpage), I will
enumerate all the groups that USER2 belongs to. I'm using Integrated
Windows Authentication on the webbrowser, so this is done while I'm
impersonating USER2, so it will recursively list all groups that USER2
belongs to. When I know all groups that USER2 belongs to, I can compare
this list with the list of users/groups that is allowed to read the file.

But you have a point: This enumeration will probably only list the groups
that are available on the webserver. Therefore it will not contain
BUILTIN\Users on SERVER1 if the webserver is not running on SERVER1.

I'm beginning to think, that it is not possible to achieve all the things
that I want to be able to do.

Regards
Anders

Feb 13 '06 #6
"Luc E. Mistiaen" <lu**********@advalvas.be.no.spam> wrote in message
news:ud**************@TK2MSFTNGP09.phx.gbl...
Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the
IsInRole method to check (deeply) if the user is part of that group.


Yes, that is probably true.

Thank you for your help. You have given me something to think about and some
new dirrections to look.

Regards
Anders
Feb 14 '06 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Blair Hall | last post by:
Can anyone please tell me how to correctly use a built in function when there is a function of the same name in local scope? Here is an example. Suppose the following is in myApply.py: def...
2
by: BJörn Lindqvist | last post by:
A problem I have occured recently is that I want to subclass builtin types. Especially subclassing list is very troublesome to me. But I can't find the right syntax to use. Take for example this...
1
by: Stephen Ferg | last post by:
Python has a builtin class for staticmethod. Seems to me that Python should also have a builtin class for abstractmethod. Something like this... ####################################### #...
1
by: Xeon | last post by:
Hi, I'm trying to replace spaces with %20 with help of translate, but not successfull. Here's a node in the xml file : <title>This is some test title</title> The xsl code I'm using : ...
4
by: Gadrin77 | last post by:
I have data that looks like <Root> <Main Value="Line1|Line2.|Line3|Line4.|Line5"/> </Root> I'm using Translate(@Value, "|.", ",")
2
by: Casey Hawthorne | last post by:
Is there a way to determine -- when parsing -- if a word contains a builtin name or other imported system module name? Like "iskeyword" determines if a word is a keyword! -- Regards, Casey
2
by: Krustov | last post by:
I'm doing whois domain checker for www.hosthome.co.uk and want to add a checking routine for the .eu tld . I have limited knowledge about sockets and stuff - so can somebody translate the info...
2
by: =?Utf-8?B?QWxleGV5IFlha292bGV2?= | last post by:
Hi! Can anyone please explain me why following code gives an SecurityException "System.Security.SecurityException: The name provided is not a properly formed account name."? -- code start -- ...
3
by: amija0311 | last post by:
Hi, I am new using DB2 9.1 database by windows base. I want to query the data that contain string then translate the string into integer using DB2. The problems is If the data is null, i got the...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.