Token does not contain builtin and local group entries of foreign domain

Token does not contain builtin and local group entries of foreign domain

Post by Vipu » Sat, 14 Sep 2002 22:51:14

Subject:         Token does not contain builtin and local group entries of foreign domain

Problem:         The user token does not contain the entries of the foreign domain local-group to which it belongs
                    It only contains the entries of the current domain local group to which it belongs

Description:     We are doing access check on Active Directory object for performing a particular operation. ex: Create User rights

                     1. In our COM component we are getting the caller token (caller is actually coming via IIS) ex: Forest1-User

                     2. We get the NT Security descriptor of the object from the directory. For the above operation the parent object SD

                     3. Forest1-User is a member of Forest2-LocalGroup & that group has full rights on the object

                     4. AccessCheckByTypeResultList () is used to perform access check

                     5. But Access check fails if it is performed on Forest1 machine .... whereas it succeeds on Forest2 machine

So how can I perform an fool-proof access check

Thanks in anticipation


1. Group Policy and Local Users and Groups

I have working on a software suite designed to increase the level of
security on NT4, windows 2000 and XP Professional.  So far everything is
working nicely, and it looks good.  I am now working on the management end
of our suite and I am having some problems.  For W2K and XP Pro we have
decided to use MMC as the interface to modify settings.  Our suite stores
properties for individual users, and in my research on MMC I found an app
that extends the Local Users and Groups snap-ins.  I have been able to write
an extension with only one problem.  I have not found a good way of
determining if Local Users and Groups is administering the local machine or
a remote machine.  I have had a similar experience with Group Policy.  We
have decided to extend the Security Settings snap-in to add our policies.  I
know that this can be done because there are other snap-ins that extend this
snap-in, like IP security.  I have also found no way of determining if I am
looking at a local machine or not with this snap in as well.  I have posted
about these problems many times in many groups, but so far no one has been
able to help.

Matt Osborne

2. Questions about the Centris 650: Help!

3. How2 allow a local computer to access Internet, but not other locals - LAN/network/firewall config?

4. Commodore 128 - complete rig 4 sale or trade!

5. Non local users getting ``Local: Sorry, you are not allowed to connect.

6. Office vision & 5250 emulator's - what is so difficult ?

7. workstations not on the domain can access domain resources

8. Spammer With an 800 Number

9. Registering Domain Names with Foreign Countries

10. Can anything be done about malicious emails containing viruses?

11. smb PDC w/ Win2000 clients- how to allow for local Admin, but domain USER access

12. LOCAL: Düsseldorf Linux User Group Treffen

13. Domain accounts or Local accounts