I am trying to allow for user account to take ownership of an Active
Directory object. I have assigned the Modify Owner permission to the user
on the AD object - a distribution list in this case. Using Active Directory
Users and Computers, the user can take ownership of the object. But I have
not been able to get the program I am working on to do so. Whenever I try
to write the Security Descriptor back to the object, I get the
E_ACCESSDENIED error. The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege activated
that I need. But I have tried using AdjustTokenPriv ilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSH IP_NAME privileges. That does not seem
to have any effect.
Does anyone have an idea about what I am missing?
Thanks.
The test code is as follows:
void CADOwnDlg::OnBn ClickedTakeowne rship()
{
ACL * abdacl;
DWORD abdacllen;
SID * abowner;
DWORD abownerlen;
SID * abpg;
DWORD abpglen;
ACL * absacl;
DWORD absacllen;
SECURITY_DESCRI PTOR * absd;
DWORD absdlen;
IDirectoryObjec t * adobject;
ADSVALUE adsvalue;
ADS_ATTR_INFO attrinfo;
LPWSTR attrstr;
DWORD buflen;
HRESULT hr;
LUID luid;
DWORD numobjattr;
ADS_ATTR_INFO * objattr;
WCHAR objectpath[256];
HANDLE prochandle;
SECURITY_DESCRI PTOR * sd;
SECURITY_DESCRI PTOR * sdsr;
unsigned char sid[256];
SID * sidnewowner;
HANDLE tokenhandle;
TOKEN_PRIVILEGE S tp;
abdacl=NULL;
abdacllen=0;
abowner=NULL;
abownerlen=0;
abpg=NULL;
abpglen=0;
absacl=NULL;
absacllen=0;
absd=NULL;
absdlen=0;
adobject=NULL;
attrstr=L"nTSec urityDescriptor ";
buflen=0;
DWORD numattr;
objattr=NULL;
sdsr=NULL;
memset(sid, 0, sizeof(sid));
memcpy(sid, SidVal, SidValSize);
sidnewowner=(SI D *)sid;
wcscpy(objectpa th, L"LDAP://CN=Test.One,OU= Client Distribution
Lists,OU=Public Distribution Lists,DC=aoins, DC=com");
hr=CoInitialize Ex(NULL, COINIT_APARTMEN TTHREADED);
hr=ADsOpenObjec t(objectpath, NULL, NULL, ADS_SECURE_AUTH ENTICATION,
IID_IDirectoryO bject, (void **)&adobject);
hr=adobject->GetObjectAttri butes(&attrstr, 1, &objattr, &numobjattr) ;
sd=(SECURITY_DE SCRIPTOR *)objattr->pADsValues->SecurityDescri ptor.lpValue;
MakeAbsoluteSD( sd, absd, &absdlen, abdacl, &abdacllen, absacl, &absacllen,
abowner, &abownerlen, abpg, &abpglen);
absd=(SECURITY_ DESCRIPTOR *)malloc(absdle n);
abdacl=(ACL *)malloc(abdacl len);
absacl=(ACL *)malloc(absacl len);
abowner=(SID *)malloc(abowne rlen);
abpg=(SID *)malloc(abpgle n);
MakeAbsoluteSD( sd, absd, &absdlen, abdacl, &abdacllen, absacl,
&absacllen, abowner, &abownerlen, abpg, &abpglen);
SetSecurityDesc riptorOwner(abs d, sidnewowner, FALSE);
MakeSelfRelativ eSD(absd, sdsr, &buflen);
sdsr=(SECURITY_ DESCRIPTOR *)malloc(buflen );
MakeSelfRelativ eSD(absd, sdsr, &buflen);
prochandle=GetC urrentProcess() ;
OpenProcessToke n(prochandle, TOKEN_ADJUST_PR IVILEGES, &tokenhandle );
LookupPrivilege Value("DCH1", SE_RESTORE_NAME , &luid);
tp.PrivilegeCou nt=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_ PRIVILEGE_ENABL ED;
AdjustTokenPriv ileges(tokenhan dle, FALSE, &tp, 0, NULL, NULL);
LookupPrivilege Value("DCH1", SE_TAKE_OWNERSH IP_NAME, &luid);
tp.PrivilegeCou nt=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_ PRIVILEGE_ENABL ED;
AdjustTokenPriv ileges(tokenhan dle, FALSE, &tp, 0, NULL, NULL);
attrinfo.dwADsT ype=objattr->dwADsType;
attrinfo.dwCont rolCode=ADS_ATT R_UPDATE;
attrinfo.dwNumV alues=1;
attrinfo.pADsVa lues=&adsvalue;
adsvalue.dwType =objattr->dwADsType;
adsvalue.Securi tyDescriptor.lp Value=(LPBYTE)s dsr;
adsvalue.Securi tyDescriptor.dw Length=buflen;
attrinfo.pszAtt rName=attrstr;
hr=adobject->SetObjectAttri butes(&attrinfo , 1, &numattr);
FreeADsMem(obja ttr);
adobject->Release();
if(abdacl!=NULL ) free(abdacl);
if(abowner!=NUL L) free(abowner);
if(abpg!=NULL) free(abpg);
if(absacl!=NULL ) free(absacl);
if(absd!=NULL) free(absd);
if(sdsr!=NULL) free(sdsr);
CoUninitialize( );
}
7  1821 
"Stephen Engle" <en***********@ aoins.com> wrote in message
news:eM******** *****@TK2MSFTNG P15.phx.gbl... The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege activated
that I need. But I have tried using AdjustTokenPriv ilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSH IP_NAME privileges. That does not seem
to have any effect.
Does anyone have an idea about what I am missing?
AdjustTokenPriv ileges() does not grant privileges. If it did, there would be
no security at all as any thread could grant any old privilege. Rather it
enables privleges.
To review, privilges have three states:
1) not granted
2) granted and not enabled
3) granted and enabled
AdjustTokenPriv ileges() can transition from state 2 to 3 or 3 to 2 in my
list above.
Because you say the code works as a domain administrator you will have to
run the code in a more privileged security context.
You have a few options:
1) Run under a proper user context.
2) Use the credentials of a suitably privileged user and LogonUser(),
ImpersonateLogg edOnUser() and RevertToSelf() so that you have the necessary
credentials at the time you need them
3) make some inter-process request of a service installed with the proper
credentials to do your bidding. Of course, then you need a way for the
service to verify that the request comes from a party it trusts.
I'd post again in a more appropriate group. If security was my _thing_ I'd
point you, but it ain't so I can't. :-)
Regards,
Will
The thing I can't figure out here, is why Active Directory Users and
Computers can take ownership, yet my program cannot (obviously something is
missing). I tried using ADSI objects as well but got the same result. Is
ADU&C doing something behind the scenes with the servers to facilitate this,
or is it some API calls that I'm not doing?
"William DePalo [MVP VC++]" <wi***********@ mvps.org> wrote in message
news:ul******** ******@TK2MSFTN GP14.phx.gbl... "Stephen Engle" <en***********@ aoins.com> wrote in message
news:eM******** *****@TK2MSFTNG P15.phx.gbl... The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege
activated that I need. But I have tried using AdjustTokenPriv ilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSH IP_NAME privileges. That does not
seem to have any effect.
Does anyone have an idea about what I am missing?
AdjustTokenPriv ileges() does not grant privileges. If it did, there would
be no security at all as any thread could grant any old privilege. Rather it
enables privleges.
To review, privilges have three states:
1) not granted
2) granted and not enabled
3) granted and enabled
AdjustTokenPriv ileges() can transition from state 2 to 3 or 3 to 2 in my
list above.
Because you say the code works as a domain administrator you will have to
run the code in a more privileged security context.
You have a few options:
1) Run under a proper user context.
2) Use the credentials of a suitably privileged user and LogonUser(),
ImpersonateLogg edOnUser() and RevertToSelf() so that you have the
necessary credentials at the time you need them
3) make some inter-process request of a service installed with the proper
credentials to do your bidding. Of course, then you need a way for the
service to verify that the request comes from a party it trusts.
I'd post again in a more appropriate group. If security was my _thing_ I'd
point you, but it ain't so I can't. :-)
Regards,
Will
"Stephen Engle" <en***********@ aoins.com> wrote in message
news:um******** ******@TK2MSFTN GP09.phx.gbl... The thing I can't figure out here, is why Active Directory Users and
Computers can take ownership, yet my program cannot (obviously something
is
missing).
It is a good question for which I don't have an answer. I _think_ though
that you could find an answer by looking at that group and its privileges.
Assuming that the code is proper, the issue is a privilege granted to a user
in the group and which is lacking in the user under whose context your
application runs.
Do you have the credentials of one of the users in this group? If so, and if
you run on XP you could try this experiment:
LogonUser(); // use credentials of user in AD Users group
ImpersonateLogg edOnUser();
// do what you need to do
RevertToSelf();
I tried using ADSI objects as well but got the same result. Is
ADU&C doing something behind the scenes with the servers to facilitate
this,
or is it some API calls that I'm not doing?
Sorry, but I am not well versed in AD. You may want to search for a more
appropriate group in which to post your question.
Regards,
Will
Sorry - I should have been more plain about the user. I log on as the user
(a test id) in question to test my app (and also to test that user's rights
using Active Directory Users & Computers). Unfortunately, the only thing I
have been able to determine is that the user id has the appropriate rights
(because ADU&C can make the change) but my app still won't work, unless I'm
logged in as myself. I am a Domain Admin and therefore have so many rights
that I don't know for sure what the difference really is. But since ADU&C
can work for the test id, I would think there must be some way to do this
with my app.
Do you have any ideas as to what group might be more appropriate to post
this question to. I have looked at the huge list of Microsoft groups and
have only found this and potentially the microsoft.publi c.win2000.secur ity
group that seemed to touch on this.
Thanks again.
"William DePalo [MVP VC++]" <wi***********@ mvps.org> wrote in message
news:#Y******** *****@TK2MSFTNG P09.phx.gbl... "Stephen Engle" <en***********@ aoins.com> wrote in message
news:um******** ******@TK2MSFTN GP09.phx.gbl... The thing I can't figure out here, is why Active Directory Users and
Computers can take ownership, yet my program cannot (obviously something
is
missing).
It is a good question for which I don't have an answer. I _think_ though
that you could find an answer by looking at that group and its privileges.
Assuming that the code is proper, the issue is a privilege granted to a
user in the group and which is lacking in the user under whose context your
application runs.
Do you have the credentials of one of the users in this group? If so, and
if you run on XP you could try this experiment:
LogonUser(); // use credentials of user in AD Users group
ImpersonateLogg edOnUser();
// do what you need to do
RevertToSelf();
I tried using ADSI objects as well but got the same result. Is
ADU&C doing something behind the scenes with the servers to facilitate
this,
or is it some API calls that I'm not doing?
Sorry, but I am not well versed in AD. You may want to search for a more
appropriate group in which to post your question.
Regards,
Will
"Stephen Engle" <en***********@ aoins.com> wrote in message
news:uK******** ******@tk2msftn gp13.phx.gbl... Sorry - I should have been more plain about the user. I log on as the
user
(a test id) in question to test my app (and also to test that user's
rights
using Active Directory Users & Computers). Unfortunately, the only thing
I
have been able to determine is that the user id has the appropriate rights
(because ADU&C can make the change) but my app still won't work, unless
I'm
logged in as myself. I am a Domain Admin and therefore have so many
rights
that I don't know for sure what the difference really is. But since ADU&C
can work for the test id, I would think there must be some way to do this
with my app.
Do you have any ideas as to what group might be more appropriate to post
this question to. I have looked at the huge list of Microsoft groups and
have only found this and potentially the microsoft.publi c.win2000.secur ity
group that seemed to touch on this.
The two languages groups (this and m.p.vc.language ) field lots of questions
on things people do with the language even though the groups' focus is
ostensibly on the language itself.
The kernel group (m.p.win32.prog rammer.kernel) has a similar mix of skills
among the regulars and more than a few who grok security.
Apart from the kernel group, I'd plug
activedirectory
or
adsi
into the newsgroup search edit box to find a more appropriate one. If I read
any of these groups I'd suggest one, but as I said, I don't so I can't. :-(
At the risk of stating the obvious ... are you checking the return codes
from the functions that you call? It is a really really rare event for a
function in the Win32 API to fail silently. One thing you can do is type
err
in the watch window in the debugger. This pseudo-variable is an alias for
the calling thread's last error code. When a function fails (and only if it
fails so you need to check return codes or look at the EAX register if you
forgot to capture the return) this is the place to look for the underlying
cause of the failure.
Thanks again.
You are welcome.
Regards,
Will
I have indeed been checking my return codes. The only one that fails is the
call to apply the changes back to the AD group (E_ACCESSDENIED ). But thanks
for all of your help and suggestions. I will look for another place to post
and check on this.
"William DePalo [MVP VC++]" <wi***********@ mvps.org> wrote in message
news:eF******** ******@TK2MSFTN GP15.phx.gbl... "Stephen Engle" <en***********@ aoins.com> wrote in message
news:uK******** ******@tk2msftn gp13.phx.gbl... Sorry - I should have been more plain about the user. I log on as the
user
(a test id) in question to test my app (and also to test that user's
rights
using Active Directory Users & Computers). Unfortunately, the only
thing I
have been able to determine is that the user id has the appropriate
rights (because ADU&C can make the change) but my app still won't work, unless
I'm
logged in as myself. I am a Domain Admin and therefore have so many
rights
that I don't know for sure what the difference really is. But since
ADU&C can work for the test id, I would think there must be some way to do
this with my app. Do you have any ideas as to what group might be more appropriate to post
this question to. I have looked at the huge list of Microsoft groups
and have only found this and potentially the
microsoft.publi c.win2000.secur ity group that seemed to touch on this.
The two languages groups (this and m.p.vc.language ) field lots of
questions on things people do with the language even though the groups' focus is
ostensibly on the language itself.
The kernel group (m.p.win32.prog rammer.kernel) has a similar mix of skills
among the regulars and more than a few who grok security.
Apart from the kernel group, I'd plug
activedirectory
or
adsi
into the newsgroup search edit box to find a more appropriate one. If I
read any of these groups I'd suggest one, but as I said, I don't so I can't.
:-(
At the risk of stating the obvious ... are you checking the return codes
from the functions that you call? It is a really really rare event for a
function in the Win32 API to fail silently. One thing you can do is type
err
in the watch window in the debugger. This pseudo-variable is an alias for
the calling thread's last error code. When a function fails (and only if
it fails so you need to check return codes or look at the EAX register if you
forgot to capture the return) this is the place to look for the underlying
cause of the failure.
Thanks again.
You are welcome.
Regards,
Will
"Stephen Engle" <en***********@ aoins.com> wrote in message
news:e2******** ******@TK2MSFTN GP10.phx.gbl... I have indeed been checking my return codes. The only one that fails is
the
call to apply the changes back to the AD group (E_ACCESSDENIED ).
Does the function that fails not detail what it requires? Is there any
possibility that it is a wild pointer problem? It it is something in wide
use, someone in the kernel group may spot the problem.
But thanks for all of your help and suggestions.
You are welcome.
Regards.
Will This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Ryan |
last post by:
We have a DTS package developed on our development PC's (SQL 7). It
runs fine. When we schedule it on the server (SQL 7), it fails. We
have been able to find that this is a known issue down to the use of
permissions (running it uses the users permissions, scheduling it uses
the servers). http://support.microsoft.com/?kbid=269074
Our Ops Support team insist that we have the full permissions to run
this, but it still fails. If we log on to...
|
by: tarmat |
last post by:
I've been using code such as the following, whereby I call the
constructor of a class with an object allocated on the heap. The
class is responsible for tidying up the memory.
class Base{};
class A : public Base {};
class B : public Base {};
|
by: Jacob |
last post by:
I am trying to find the best way of documenting (in code and
comments) ownership of secondary contained objects. This is my
current status, and I would appreciate feedback on it:
Case 1: When the secondary object is created with the object
and dies with the object.
Solution: Keep the secondary object as a stack variable, and
|
by: Howard |
last post by:
Hi,
I recently had a problem where I decided to store objects in a vector.
(Previously, I had always stored pointers in vectors). Well, naturally,
when storing an object in a vector, using push_back, the object I had in
hand was getting copied (twice, in fact). That led to a problem, in that my
object contained a "handle" to another object, and when the object being
pushed went out of scope and was destroyed, the referenced object was...
|
by: Benden Ziyade |
last post by:
Hello;
I want to write a C program that check file ownership in /bin
directory(ls, mkdir...). But I don't know how I start. I'm happy with
your helping.
| | |
by: Andrew |
last post by:
Apologies for the double-post.. I'm new, just getting used to this.. and
should have posted this way in the first place..
How does one go about taking ownership of a registry key using C# & .NET 2.0
*IF* one has _only_ TakeOwnership privilege?
The problem is exactly as specified in MS KB Article ID: 111546 at:
http://support.microsoft.com/kb/111546/EN-US/
...except that I would like to know how to do it in C#
|
by: ShaiH |
last post by:
When I create a file from a simple command line application written in C# the
file ownership given to the newly created file is of administrators group
although I am running this application in my identity. I would expect that a
created file will get the ownership of the running process identity.
code:
in the Mail I have a single line: File.Create(@"c:\test.txt");
|
by: YellowFin Announcements |
last post by:
(Association Press) - Get ready for the next wave of business
intelligence, which will once and for all take BI mainstream, with
query, reporting, and analysis dashboards on every desktop. According
to Glen Rabie, CEO of Yellowfin "We are experiencing a new wave of
investment in BI by organisations in all industries. The current market
cycle is expected to last until 2020 and will be focused on expanding
the reach of BI to more users both...
|
by: digz |
last post by:
In the code below , a simplified version
I need to pass a smart pointer to function f which I control .I
cannot use std::auto_ptr as a parameter to f because
it releases ownership on copy construction and I still need the
pointer after f returns.( may be I could return the auto_ptr
again ?? )
after f does its stuff , i need to pass it to g which expects a raw
pointer ( I cannot change that API )
I know g does maintain its own ...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
