Solved

ADSI Permissions

Posted on 2001-06-19
7
958 Views
Last Modified: 2007-11-27


We?re running IIS 4.0 on a Windows NT BDC for our intranet.  The script below works when an admin is logged into the server, and runs the script locally first.  It will then work on any computer in the domain.  However, once the admin logs off the local server, no computer can successfully run the script (the error is also posted below).  I?m assuming this is a permissions issue.  What permissions must we set on the IIS server, so the script can be run, without compromising security.

The code:

<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
     
     strUsername=Replace(ucase(Request.ServerVariables("LOGON_USER")),"\","/")
     set adsUser = GetObject("WinNT://" & strUsername)
*** The above line fails, which is referenced in the error message below ***
     for each group in adsUser.groups
          GrpList = GrpList & lcase(trim(group.name)) & ";"
     next  
     session("name")=strPath
     session("groups")=GrpList
     if instr(1,GrpList,"domain admin") then session("permission") = "YES"

end sub      
 
</script>

The error message (when an admin is logged into another computer and tries to access the page).

error '80070035'
The network path was not found.
/Report/global.asa, line 11

The error message (when a domain user is logged into another computer and tries to access the page).

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/Report/global.asa, line 6


0
Comment
Question by:awetherhold
7 Comments
 
LVL 15

Expert Comment

by:robbert
Comment Utility
You need to be admin to get information on a user. In consequence, you can a) force your (admin...) users to logon, or b) create an ActiveX DLL with the above code, and run it as "this..." user, in an MTS / COM+ package.
Let me know when you decide for one of these options or wait a while (to see if there are alternatives), and delete the question.
0
 
LVL 5

Expert Comment

by:gbaren
Comment Utility
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|

Ears On.
0
 
LVL 15

Expert Comment

by:robbert
Comment Utility
Hm, haven't there been more comments than I currently see?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:awetherhold
Comment Utility
Robbert, I have looked into moving the code into an Active X dll, but it only seems to move the error into the dll.  I have tried to use MTS, but i am not sure if i used it correctly.  How do i get the MTS to work? I created a package and include the dll as a component but it still gives me the same error
0
 
LVL 15

Accepted Solution

by:
robbert earned 200 total points
Comment Utility
> but it only seems to move the error
into the dll

True, the calling user will be inherited.

> How do i get the
MTS to work?

You have created a package, imported the DLL. Right-click the package, Properties. Tab Identity, choose "Run as this... user".

To what I've done, there are no pitfalls, so please inform me where they could be... Have you chosen to run the DLL under an admin account?
0
 
LVL 9

Expert Comment

by:TTom
Comment Utility
Interesting!  I use a method very similar to this for all the security on my internal applications and I have never had a problem with it.  The web server (and I) am not domain administrators!

You might want to check with your domain admin.  There is a way of setting permissions (on the domain controllers) such that ADSI information is not available.  Apparently, in my case, that has not been done.  In your case, it probably has.  It involves a registry setting, but I don't remember what that setting is.

Tom
0
 
LVL 1

Author Comment

by:awetherhold
Comment Utility
Thanks, that worked.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now