Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / December 2007

Tip: Looking for answers? Try searching our database.

Security groups, ntfs access lists and active directory synchroniz

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Michael Mueller - 14 Dec 2007 14:49 GMT
Hello,

our windows service has to create an OU for teams, a sub OU for _groups and
create default security groups within this _groups OU for user and management.

Next step is to create a few directories on a file server and assign some
rights to these directories to the mentioned user-group.

This works fine, if the %logonserver% is the same as the domain controller
which was used to create the groups in active directory or if there was
enough time for active directory replication between group creation and ntfs
acl assignment.
Otherwise a wellknown error will break the workflow:

Some or all identity references could not be translated

The question is, how can I force the windows service to use the same domain
controller to resolve names to SID in order to use them with ACLs, as I used
to create the group?

We have location based domain controllers, so we need to directly connect
the domain controller which is responsible for a given region, but the
windows service is always located at the same location - lets say Berlin. The
machine in Berlin is allways connected to a domain controller in Berlin, but
if we need to create a security group in Munich, we would create them there.
But it takes some time before the group can be used in Berlin in order to
create the File Access Rights.

Any ideas how to solve this without being forced to install the same service
at each location?

Best regards
Michael
Reply to this Message
Joe Kaplan - 14 Dec 2007 19:30 GMT
Always use the SecurityIdentifier version of the IdentityReference when
setting the ACLs on the file server.  The ACL code is failing because it
cannot convert the NTName to a SID, so if you just start with the SID you
avoid this problem (and get better perf).

You can get the SID of the security principal from AD by reading the
objectSid attribute via LDAP and converting that to a byte[] (which you then
pass to the SecurityIdentifier constructor).

Joe K.

Signature

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

> Hello,
>
[quoted text clipped - 38 lines]
> Best regards
> Michael
Reply to this Message
Michael Mueller - 17 Dec 2007 18:09 GMT
This sounds like a good solution for my problem. It will take a few weeks
until I come back to this project, but I am going to implement it that way.

Thank you

Michael

> Always use the SecurityIdentifier version of the IdentityReference when
> setting the ACLs on the file server.  The ACL code is failing because it
[quoted text clipped - 49 lines]
> > Best regards
> > Michael
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.