locked
NTFS permissions on remote server RRS feed

  • Question

  • User-837152306 posted

    Hi,

    I want to grant NTFS permissions on a directory for a local user using the DirectorySecurity class. The server from which the asp.net web service runs is in Active Directory, while the target server where the folder and user are located is not. When I try to assign the local user to the UNC path, I get an error that the user can not be found. It works fine for AD users. How can I solve this?

    A suggestion that was made to me was to use WMI and connect remotely to the server. I think I will have to use Win32_Directory for that. But how do I assign the security descriptor to the directory? I found examples using Win32_Share, but it is not a share and I don't want to create one.

    Or are there better methods to do so?

    Thank you.

    Tuesday, May 20, 2014 6:32 AM

Answers

  • User-837152306 posted

    The reason that it could not access it was because I didn't have to use a file share, but a file path instead. I have to finish the code, but it looks to be working now.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 27, 2014 10:47 AM

All replies

  • User-718146471 posted

    The problem you are encountering is not unsual.  You are trying to have local users connect as AD users; AD simply will not allow this.  If it was a matter of allowing all users access to a folder, I would simply have you go into IIS and set the impersonating user as an AD account that has access to that remote folder or allow Network Service to access the remote folder.  In this case, you are going to need to somehow connect that server to your AD as a server so you get access to the AD forest of user accounts.  Otherwise, you will wind up having to create identical local accounts for each user on that remote server.  While this may be ok, when the user goes to change their password, the remote machine will be out of sync.

    Tuesday, May 20, 2014 6:42 AM
  • User-837152306 posted

    That is not really what I try to do.

    There is a central web service in an Active Directory domain that executes actions on remote servers. Some are in the same domain, some are in a DMZ zone and are local/standalone servers. We use a impersonation user to grant access for that webservice to execute things.

    The web service need to create a directory and grant NTFS permissions to users that are local to the target server. As this server is not in AD, I am not able to use AD users. But also the other way around. When I try to grant access to the local users on the remote servers, the webservice doesn't know them, as they are local on the server and not in AD. In other words, I need a way to use the local users on the remote server, but it need to be executed from the central web service.

    Solutions that I thought about are:

    - remote call with WMI from the central web service: see question above.

    - create a local webservice on the remote target server and call that from the central web service. Problem here is that it are all different servers, and I can not add web references from all of them. In that case I will need a sort of webservice call without webreference.

    - create a Windows service on the remote servers with a FileSystemWatcher that look when a directory is created and then grants the permissions. I don't really like the idea as there is no confirmation that the security is really set when the web service create the directory.

    Please advice.

    Tuesday, May 20, 2014 6:55 AM
  • User-718146471 posted

    - create a Windows service on the remote servers with a FileSystemWatcher that look when a directory is created and then grants the permissions. I don't really like the idea as there is no confirmation that the security is really set when the web service create the directory.

    Well, you could do something like this in PowerShell and then have the PS script verify the permissions and write the result to a log file or perhaps a SQL table somewhere.

    Tuesday, May 20, 2014 7:13 AM
  • User-718146471 posted

    You should be able to create a windows service that employs the power of these three PowerShell examples.  The beautiful thing about PS is it is based on .NET :)

    PowerShell FileSystemWatcher

    Set Folder Permissions using a PowerShell script

    Powershell script to check user/group share permission

    Tuesday, May 20, 2014 8:14 AM
  • User-837152306 posted

    Thanks, but is a Windows server not a bit overkill for this action?

    I found this WMI based script for a shared folder, but what do use for a directory?

        Sub Main()
            Dim sServerName As String
            Dim Ace1 As Management.ManagementObject
    
            sServerName = "."
            Dim oMgtScope As New Management.ManagementoMgtScope("\\" & sServerName & "\root\cimv2")
            Dim wmiShare As New Management.ManagementClass(oMgtScope, NewManagement.ManagementPath("Win32_Share"), Nothing)
    
            UserAcct = "CN=Jeff Smith,CN=users,DC=fabrikam,DC=com"
            Dim UserNamePath As String = "LDAP://" & UserAcct
            Dim DirEnt As New DirectoryServices.DirectoryEntry(UserNamePath)
            UserName = DirEnt.Properties("samaccountname")(0)
            Dim UserSID As Byte() = DirEnt.Properties("objectsid")(0)
            DirEnt.Dispose()
    
            Ace1 = SetAce(oMgtScope, 2032127, 3, 0, SetTrustee(oMgtScope, sServerName, UserName, UserSID))
    
            Dim secDescriptor As Management.ManagementObject
            secDescriptor = New Management.ManagementClass(oMgtScope, New Management.ManagementPath("Win32_SecurityDescriptor"), Nothing).CreateInstance()
            secDescriptor("ControlFlags") = 4
            secDescriptor("DACL") = New Management.ManagementObject() {Ace1}
    
            Dim inParams As Management.ManagementBaseObject
            inParams = wmiShare.GetMethodParameters("Create")
            inParams("Access") = secDescriptor
            inParams("Path") = "C:\TestFolder"
            inParams("Name") = "TestFolder"
            inParams("Type") = 0
            inParams("Description") = "FolderDescriptionHere"
    
            Dim outParams As Management.ManagementBaseObject
            outParams = wmiShare.InvokeMethod("Create", inParams, Nothing)
            wmiDirectory.ChangeSecurityPermissions(secDescriptor)
        End Sub

    The advantage of this method is that I can keep it in the main web service without having to create services on each of the servers and maintaine logging for them.

    Tuesday, May 20, 2014 8:41 AM
  • User-1454326058 posted

    Hi,

    This link may benefit you:

    # How to programmatically set NTFS file system folder permissions by using Active Directory Service Interfaces in Microsoft Visual C#

    http://support.microsoft.com/kb/899553

    Thanks

    Best Regards

    Wednesday, May 21, 2014 11:39 PM
  • User-837152306 posted

    The problem remains to be the permissions on the remote machine. I created a local account with the same name and password on the workstation as the domain user that I assigned to the application pool of the website from which the code is running. The local user is member of the local administrators on the workgroup server.

    The error I get is "Access Denied" as soon as I do the connect to the ManagementScope:

    Dim oMgtScope As New ManagementScope("\\" & sServerName & "\root\cimv2")
    oMgtScope.Connect()

    I have also tried to add the options on the ManagementScope. Both impersonate or username & password don't work. Temporary disabled the Windows firewalls on both the webserver and the local workgroup server, as well as on the hardware firewall. Name resolution is working in both directions.

    I am blocked. If I don't find a solution based on the WMI/DCOM, the only option left is to use the scenario with the Windows service. I would like to avoid that because it needs a local installation on each of the workgroup servers and I don't like the idea that the service is not directly initiated from the script on the webserver so there is no direct feedback that the permissions where set correctly.

    Thank you

    Friday, May 23, 2014 2:47 AM
  • User-718146471 posted

    Have you tried giving Network Service permissions on those machines?

    Friday, May 23, 2014 9:53 AM
  • User-837152306 posted

    Have you tried giving Network Service permissions on those machines?

    I managed to get it working by added the user and password on the options and do a restart of the server. Problem now appears that the WMI is unable to access the file share, but it has access. Even tried with everyone full control. It looks like that I am not one step further than with the .NET implemenetation.

    Monday, May 26, 2014 3:56 AM
  • User-718146471 posted

    Here is one thing that could be a long shot but it may very well be a domain trust issue.  Exactly how to fix that would be well beyond what the asp.net forums can delve into but you could try this:  Creating Domain and Forest Trusts

    Tuesday, May 27, 2014 10:37 AM
  • User-837152306 posted

    The reason that it could not access it was because I didn't have to use a file share, but a file path instead. I have to finish the code, but it looks to be working now.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 27, 2014 10:47 AM
  • User-718146471 posted

    Ah ok, that makes total sense now.

    Tuesday, May 27, 2014 11:09 AM