Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ADSI Permissions

Posted on 2001-06-19
7
961 Views
Last Modified: 2007-11-27


We?re running IIS 4.0 on a Windows NT BDC for our intranet.  The script below works when an admin is logged into the server, and runs the script locally first.  It will then work on any computer in the domain.  However, once the admin logs off the local server, no computer can successfully run the script (the error is also posted below).  I?m assuming this is a permissions issue.  What permissions must we set on the IIS server, so the script can be run, without compromising security.

The code:

<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
     
     strUsername=Replace(ucase(Request.ServerVariables("LOGON_USER")),"\","/")
     set adsUser = GetObject("WinNT://" & strUsername)
*** The above line fails, which is referenced in the error message below ***
     for each group in adsUser.groups
          GrpList = GrpList & lcase(trim(group.name)) & ";"
     next  
     session("name")=strPath
     session("groups")=GrpList
     if instr(1,GrpList,"domain admin") then session("permission") = "YES"

end sub      
 
</script>

The error message (when an admin is logged into another computer and tries to access the page).

error '80070035'
The network path was not found.
/Report/global.asa, line 11

The error message (when a domain user is logged into another computer and tries to access the page).

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/Report/global.asa, line 6


0
Comment
Question by:awetherhold
7 Comments
 
LVL 15

Expert Comment

by:robbert
ID: 6207845
You need to be admin to get information on a user. In consequence, you can a) force your (admin...) users to logon, or b) create an ActiveX DLL with the above code, and run it as "this..." user, in an MTS / COM+ package.
Let me know when you decide for one of these options or wait a while (to see if there are alternatives), and delete the question.
0
 
LVL 5

Expert Comment

by:gbaren
ID: 6208121
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|

Ears On.
0
 
LVL 15

Expert Comment

by:robbert
ID: 6208135
Hm, haven't there been more comments than I currently see?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:awetherhold
ID: 6208212
Robbert, I have looked into moving the code into an Active X dll, but it only seems to move the error into the dll.  I have tried to use MTS, but i am not sure if i used it correctly.  How do i get the MTS to work? I created a package and include the dll as a component but it still gives me the same error
0
 
LVL 15

Accepted Solution

by:
robbert earned 200 total points
ID: 6208252
> but it only seems to move the error
into the dll

True, the calling user will be inherited.

> How do i get the
MTS to work?

You have created a package, imported the DLL. Right-click the package, Properties. Tab Identity, choose "Run as this... user".

To what I've done, there are no pitfalls, so please inform me where they could be... Have you chosen to run the DLL under an admin account?
0
 
LVL 9

Expert Comment

by:TTom
ID: 6208992
Interesting!  I use a method very similar to this for all the security on my internal applications and I have never had a problem with it.  The web server (and I) am not domain administrators!

You might want to check with your domain admin.  There is a way of setting permissions (on the domain controllers) such that ADSI information is not available.  Apparently, in my case, that has not been done.  In your case, it probably has.  It involves a registry setting, but I don't remember what that setting is.

Tom
0
 
LVL 1

Author Comment

by:awetherhold
ID: 6224555
Thanks, that worked.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problems using Provider=OraOLEDB.Oracle via VBScript/Classic ASP 5 85
If-Then-Else ASP problem 6 67
ASP/VB email question 4 46
ASP server side get value 15 35
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question