none
Need assistance on permissions settings and RPC calls with MS-WKST RRS feed

  • Question

  • Hi all,

     

    I couldn't find a suitable forum to ask the question below.

    I'm currently writting an application that uses some RPC interfaces documented in the Microsoft MCPP program and I need to setup a user with the least permissions to perform those. One of the function I'm using (NetrEnumerateComputerNames in interface MS-WKST, to list the workstation FQDNs) requires the user to have administrator privileges, which goes against my requirements. 

    So I'm looking for alternatives to this calls or a way to modify the permissions on the workstation to enable this call to succeed.

    I've browsed a lot of other interfaces in the MCPP list, but couldn't find anything so far. I've also looked at playing with SDDL, but no more success either.

     

    So where to ask ?

     

    thanks a lot,

     

    Sebastien.

     

    Friday, August 13, 2010 11:09 PM

Answers

  • Sebastien,

     

    I completed my review of [MS-WKST] 3.2.4.17 "NetrEnumerateComputerNames (Opnum 30).".  The caller must be in the Administrators group.  NetrEnumerateComputerNames uses a Access Request Mask of WKSTA_NETAPI_CHANGE_CONFIG.  Per 3.2.1.1 "Access Control Abstract Data Model" WKSTA_NETAPI_CHANGE_CONFIG (0x1) "Granted to security principals that are allowed to make changes to the state of the server during message processing. For example, members of the Administrators group are granted this access right."

    It is not possible to modify the SD of the workstation object so users other than administrator can have modify access to workstation object

     

    The SDK API NetEnumerateComputerNames() at http://msdn.microsoft.com/en-us/library/dd877207(VS.85).aspx invokes [MS-WKST] 3.2.4.17 NetrEnumerateComputerNames, which also specifies that the call will fail with ERROR_ACCESS_DENIED if the caller is not a member of the Administrators group.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team
    Monday, August 16, 2010 11:27 PM
    Moderator

All replies

  • Sebastien,

    Someone from our team will follow-up with you in regards to your question.

    Dominic Salemno
    Escalation Engineer
    US-CSS DSC Protocols Team

    Saturday, August 14, 2010 8:51 PM
  • Sebastien,

     

    I am researching this for you.

     


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team
    Monday, August 16, 2010 5:25 PM
    Moderator
  • Sebastien,

     

    I completed my review of [MS-WKST] 3.2.4.17 "NetrEnumerateComputerNames (Opnum 30).".  The caller must be in the Administrators group.  NetrEnumerateComputerNames uses a Access Request Mask of WKSTA_NETAPI_CHANGE_CONFIG.  Per 3.2.1.1 "Access Control Abstract Data Model" WKSTA_NETAPI_CHANGE_CONFIG (0x1) "Granted to security principals that are allowed to make changes to the state of the server during message processing. For example, members of the Administrators group are granted this access right."

    It is not possible to modify the SD of the workstation object so users other than administrator can have modify access to workstation object

     

    The SDK API NetEnumerateComputerNames() at http://msdn.microsoft.com/en-us/library/dd877207(VS.85).aspx invokes [MS-WKST] 3.2.4.17 NetrEnumerateComputerNames, which also specifies that the call will fail with ERROR_ACCESS_DENIED if the caller is not a member of the Administrators group.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team
    Monday, August 16, 2010 11:27 PM
    Moderator
  • Hello Bryan,

     

    Thank you for your answer. I'll try to find another way to go around this.

    As a side note I'm pretty surprized that the NetrEnumerateComputerNames () calls require such a privilege as it is a read-only call that simply enumerate computer names (as the name implies ...). Yet in the same interface ms-wkst, other functions such as NetrWkstaGetInfo() don't require such privilege and are returning information that is no more critical that the computer name.

     

    Anyway, thanks again for confirming this.

     

    Sebastien.

    Tuesday, August 17, 2010 9:04 PM