• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 986
  • Last Modified:

ADSI Permissions



We?re running IIS 4.0 on a Windows NT BDC for our intranet.  The script below works when an admin is logged into the server, and runs the script locally first.  It will then work on any computer in the domain.  However, once the admin logs off the local server, no computer can successfully run the script (the error is also posted below).  I?m assuming this is a permissions issue.  What permissions must we set on the IIS server, so the script can be run, without compromising security.

The code:

<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
     
     strUsername=Replace(ucase(Request.ServerVariables("LOGON_USER")),"\","/")
     set adsUser = GetObject("WinNT://" & strUsername)
*** The above line fails, which is referenced in the error message below ***
     for each group in adsUser.groups
          GrpList = GrpList & lcase(trim(group.name)) & ";"
     next  
     session("name")=strPath
     session("groups")=GrpList
     if instr(1,GrpList,"domain admin") then session("permission") = "YES"

end sub      
 
</script>

The error message (when an admin is logged into another computer and tries to access the page).

error '80070035'
The network path was not found.
/Report/global.asa, line 11

The error message (when a domain user is logged into another computer and tries to access the page).

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/Report/global.asa, line 6


0
awetherhold
Asked:
awetherhold
1 Solution
 
robbertCommented:
You need to be admin to get information on a user. In consequence, you can a) force your (admin...) users to logon, or b) create an ActiveX DLL with the above code, and run it as "this..." user, in an MTS / COM+ package.
Let me know when you decide for one of these options or wait a while (to see if there are alternatives), and delete the question.
0
 
gbarenCommented:
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|

Ears On.
0
 
robbertCommented:
Hm, haven't there been more comments than I currently see?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
awetherholdAuthor Commented:
Robbert, I have looked into moving the code into an Active X dll, but it only seems to move the error into the dll.  I have tried to use MTS, but i am not sure if i used it correctly.  How do i get the MTS to work? I created a package and include the dll as a component but it still gives me the same error
0
 
robbertCommented:
> but it only seems to move the error
into the dll

True, the calling user will be inherited.

> How do i get the
MTS to work?

You have created a package, imported the DLL. Right-click the package, Properties. Tab Identity, choose "Run as this... user".

To what I've done, there are no pitfalls, so please inform me where they could be... Have you chosen to run the DLL under an admin account?
0
 
TTomCommented:
Interesting!  I use a method very similar to this for all the security on my internal applications and I have never had a problem with it.  The web server (and I) am not domain administrators!

You might want to check with your domain admin.  There is a way of setting permissions (on the domain controllers) such that ADSI information is not available.  Apparently, in my case, that has not been done.  In your case, it probably has.  It involves a registry setting, but I don't remember what that setting is.

Tom
0
 
awetherholdAuthor Commented:
Thanks, that worked.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now