Problems about checking shared folder permissions remotely on a domain machine as a Domain Admin? RRS feed

  • Question

  • Hi,

    i'm writting a c++ software retrieving the users, the groups and permissions of shared folds in a Active Directory domain, by "permissions" i mean something like which user or group is permitted or denied to this folder.  My software's input is the account of the Domain Admin and it's supposed to query the DC for the users and groups, query the file server which is in the domain for permissions. But the software itself can be any machine(domain or workgroup) connected locally with the DC and file server. Everything is ok until i encountered such a problem:

    Here's the function to get the NTFS security descriptor of a shared folder(named strFileName) in a certain remote machine(named strServerName whose ip is strServerIP).The question is when i delete the "Everyone" account in the "Share" tab of the folder, the GetNamedSecurityInfo function would fail with error code 5 which means access denied. But if i keep "Everyone" the function works just fine. I can't guarantee the "Everyone" is reserved or not on some remote shared folder. So how to let this function working (or other method which can check permissions would be ok) without "Everyone"? I thought the Domain Admin should have the capability to check any domain machine shared folder's permissions in any condition?

    PSECURITY_DESCRIPTOR ADDirectorySearch::getNTFSSecDescriptor2(CString strFileName, CString strServerName, CString strServerIP) 

        //CString strServerNameWithSlash = _T("\\\\") + strServerName;//"\\\\veotax3"; 
        CString strFilePathName = _T("\\\\") + strServerName + _T("\\") + strFileName;//"\\\\veotax3\\nrdc1001"; 
        CString strFilePathName2 = _T("\\\\") + strServerIP + _T("\\") + strFileName;//"\\\\\\nrdc1001"; 
        _bstr_t bstrFilePathName = strFilePathName; 
        BOOL bSuccess = FALSE; 
        PSECURITY_DESCRIPTOR pSecDescriptorBuf = NULL; 
        DWORD dwSizeNeeded = 0; 
           bSuccess = GetNamedSecurityInfoW(bstrFilePathName, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL, &pSecDescriptorBuf); 
           //bSuccess = GetFileSecurityW(bstrFilePathName, DACL_SECURITY_INFORMATION, NULL, 0, &dwSizeNeeded); 
           if (ERROR_SUCCESS != bSuccess) 
               if (strFilePathName != strFilePathName2) 
                   strFilePathName = strFilePathName2; 
                   bstrFilePathName = strFilePathName2; //use ip for another try
                   goto label2; 
                   MyMessageBox_Error(_T("getNTFSSecDescriptor2 Error."), _T("Error")); 
                   return NULL; 
                return pSecDescriptorBuf; 

    I use this code to present my Domain Admin credential to the file server before get the security descriptor, when "Everyone" is kept on the "Share" tab, it works fine.

    BOOL ADDirectorySearch::IPCConnect(CString strServerName, CString strDomainName, CString strUserName, CString strPassWord) { CString strServerNameWithSlash = _T("\\\\") + strServerName; //\\veotax CString strFullUserName = strDomainName + _T("\\") + strUserName; //"DOMAINTEST\\Administrator" _bstr_t bstrServerNameWithSlash = strServerNameWithSlash; _bstr_t bstrFullUserName = strFullUserName; _bstr_t bstrPassWord = strPassWord; DWORD dwResult; NETRESOURCEW netResource; memset(&netResource, 0, sizeof(netResource)); netResource.dwScope=RESOURCE_GLOBALNET; netResource.dwType=RESOURCETYPE_DISK; netResource.dwDisplayType=RESOURCEDISPLAYTYPE_GENERIC; netResource.dwUsage=RESOURCEUSAGE_CONNECTABLE; netResource.lpRemoteName = bstrServerNameWithSlash;

    dwResult = WNetAddConnection2W(&netResource, bstrPassWord, bstrFullUserName, CONNECT_INTERACTIVE); if (dwResult == ERROR_SESSION_CREDENTIAL_CONFLICT) { dwResult = WNetCancelConnection2W(bstrServerNameWithSlash, CONNECT_UPDATE_PROFILE, TRUE); if (dwResult == NO_ERROR) { dwResult = WNetAddConnection2W(&netResource, bstrPassWord, bstrFullUserName, CONNECT_INTERACTIVE); } else { MyMessageBox_Error(_T("IPCConnect Error."), _T("Error")); return FALSE; } } if (dwResult == NO_ERROR) { return TRUE; } else { CString str; str.Format(_T("%x"), dwResult); //MessageBoxW(NULL, strServerName, str, MB_OK); MyMessageBox_Error(_T("IPCConnect Error."), _T("Error")); return FALSE; } }


    • Edited by hsluoyz Sunday, June 17, 2012 2:48 PM
    Sunday, June 17, 2012 11:37 AM