Solved

ADSI Permissions

Posted on 2001-06-19
7
964 Views
Last Modified: 2007-11-27


We?re running IIS 4.0 on a Windows NT BDC for our intranet.  The script below works when an admin is logged into the server, and runs the script locally first.  It will then work on any computer in the domain.  However, once the admin logs off the local server, no computer can successfully run the script (the error is also posted below).  I?m assuming this is a permissions issue.  What permissions must we set on the IIS server, so the script can be run, without compromising security.

The code:

<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
     
     strUsername=Replace(ucase(Request.ServerVariables("LOGON_USER")),"\","/")
     set adsUser = GetObject("WinNT://" & strUsername)
*** The above line fails, which is referenced in the error message below ***
     for each group in adsUser.groups
          GrpList = GrpList & lcase(trim(group.name)) & ";"
     next  
     session("name")=strPath
     session("groups")=GrpList
     if instr(1,GrpList,"domain admin") then session("permission") = "YES"

end sub      
 
</script>

The error message (when an admin is logged into another computer and tries to access the page).

error '80070035'
The network path was not found.
/Report/global.asa, line 11

The error message (when a domain user is logged into another computer and tries to access the page).

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/Report/global.asa, line 6


0
Comment
Question by:awetherhold
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Expert Comment

by:robbert
ID: 6207845
You need to be admin to get information on a user. In consequence, you can a) force your (admin...) users to logon, or b) create an ActiveX DLL with the above code, and run it as "this..." user, in an MTS / COM+ package.
Let me know when you decide for one of these options or wait a while (to see if there are alternatives), and delete the question.
0
 
LVL 5

Expert Comment

by:gbaren
ID: 6208121
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|

Ears On.
0
 
LVL 15

Expert Comment

by:robbert
ID: 6208135
Hm, haven't there been more comments than I currently see?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:awetherhold
ID: 6208212
Robbert, I have looked into moving the code into an Active X dll, but it only seems to move the error into the dll.  I have tried to use MTS, but i am not sure if i used it correctly.  How do i get the MTS to work? I created a package and include the dll as a component but it still gives me the same error
0
 
LVL 15

Accepted Solution

by:
robbert earned 200 total points
ID: 6208252
> but it only seems to move the error
into the dll

True, the calling user will be inherited.

> How do i get the
MTS to work?

You have created a package, imported the DLL. Right-click the package, Properties. Tab Identity, choose "Run as this... user".

To what I've done, there are no pitfalls, so please inform me where they could be... Have you chosen to run the DLL under an admin account?
0
 
LVL 9

Expert Comment

by:TTom
ID: 6208992
Interesting!  I use a method very similar to this for all the security on my internal applications and I have never had a problem with it.  The web server (and I) am not domain administrators!

You might want to check with your domain admin.  There is a way of setting permissions (on the domain controllers) such that ADSI information is not available.  Apparently, in my case, that has not been done.  In your case, it probably has.  It involves a registry setting, but I don't remember what that setting is.

Tom
0
 
LVL 1

Author Comment

by:awetherhold
ID: 6224555
Thanks, that worked.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question