Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 983
  • Last Modified:

ADSI Permissions



We?re running IIS 4.0 on a Windows NT BDC for our intranet.  The script below works when an admin is logged into the server, and runs the script locally first.  It will then work on any computer in the domain.  However, once the admin logs off the local server, no computer can successfully run the script (the error is also posted below).  I?m assuming this is a permissions issue.  What permissions must we set on the IIS server, so the script can be run, without compromising security.

The code:

<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
     
     strUsername=Replace(ucase(Request.ServerVariables("LOGON_USER")),"\","/")
     set adsUser = GetObject("WinNT://" & strUsername)
*** The above line fails, which is referenced in the error message below ***
     for each group in adsUser.groups
          GrpList = GrpList & lcase(trim(group.name)) & ";"
     next  
     session("name")=strPath
     session("groups")=GrpList
     if instr(1,GrpList,"domain admin") then session("permission") = "YES"

end sub      
 
</script>

The error message (when an admin is logged into another computer and tries to access the page).

error '80070035'
The network path was not found.
/Report/global.asa, line 11

The error message (when a domain user is logged into another computer and tries to access the page).

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/Report/global.asa, line 6


0
awetherhold
Asked:
awetherhold
1 Solution
 
robbertCommented:
You need to be admin to get information on a user. In consequence, you can a) force your (admin...) users to logon, or b) create an ActiveX DLL with the above code, and run it as "this..." user, in an MTS / COM+ package.
Let me know when you decide for one of these options or wait a while (to see if there are alternatives), and delete the question.
0
 
gbarenCommented:
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|

Ears On.
0
 
robbertCommented:
Hm, haven't there been more comments than I currently see?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
awetherholdAuthor Commented:
Robbert, I have looked into moving the code into an Active X dll, but it only seems to move the error into the dll.  I have tried to use MTS, but i am not sure if i used it correctly.  How do i get the MTS to work? I created a package and include the dll as a component but it still gives me the same error
0
 
robbertCommented:
> but it only seems to move the error
into the dll

True, the calling user will be inherited.

> How do i get the
MTS to work?

You have created a package, imported the DLL. Right-click the package, Properties. Tab Identity, choose "Run as this... user".

To what I've done, there are no pitfalls, so please inform me where they could be... Have you chosen to run the DLL under an admin account?
0
 
TTomCommented:
Interesting!  I use a method very similar to this for all the security on my internal applications and I have never had a problem with it.  The web server (and I) am not domain administrators!

You might want to check with your domain admin.  There is a way of setting permissions (on the domain controllers) such that ADSI information is not available.  Apparently, in my case, that has not been done.  In your case, it probably has.  It involves a registry setting, but I don't remember what that setting is.

Tom
0
 
awetherholdAuthor Commented:
Thanks, that worked.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now