|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Non Administrator creating shares on a DCDesks can create users, home directories, the shares, and add them to groups. It was all good until I got to creating shares on the servers (some are DC's) I can't find ANY WAY to get around the following (in C#): System.Management.ManagementClass mc = new System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + "\\root\\cimv2", "Win32_Share", null); System.Management.ManagementBaseObject inParams = mc.GetMethodParameters("Create"); I get "Access Denied" exception when I run this as a NON-Admin user in the HelpDesk Group. I have given ALL rights to the WMI services to the "HelpDesk Group" on server which I am creating the share. It won't let me :( *** When I log into a PC as that user, and run through computer managemenet/attach to server and then go through "Create a new share", it all works great... Directory is created, share is created etc. This would indicate to me that the user has rights to do this, but that the code being called by the tool is different than the code that _I_ am calling :( *** What rights do I need for the HelpDesk Group on what aspects of what object for this to work? What code should I call instead? I have brick shaped dent in my forehead from this problem, and the balding patch is growing larger from pullling all my hair out!!!! So, all you WMI and security gurus out there... help please. Thanks, Brian Hampson System Administrator - North America ALS Laboratory Group, Environmental Division Anyone? Any ideas? Help PLEASE!!!!
Brian Hampson wrote: Show quoteHide quote > I am trying to create a tool for new user creation so that our Help > Desks can create users, home directories, the shares, and add them to > groups. > > It was all good until I got to creating shares on the servers (some are > DC's) I can't find ANY WAY to get around the following (in C#): > > System.Management.ManagementClass mc = new > System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > "\\root\\cimv2", "Win32_Share", null); > System.Management.ManagementBaseObject inParams = > mc.GetMethodParameters("Create"); > > I get "Access Denied" exception when I run this as a NON-Admin user in > the HelpDesk Group. I have given ALL rights to the WMI services to the > "HelpDesk Group" on server which I am creating the share. It won't let > me :( > > Brian Hampson > System Administrator - North America > ALS Laboratory Group, Environmental Division Brian,
I'm a little rusty on my server stuff, but have you tried creating a new Organizational Unit (OU), assign the appropriate folder to the OU, and grant the HelpDesk group permissions to create users and add them to groups? You should be able search the help files on Delegating Authority to accomplish this, or see the links below. Then create an MMC snap-in that grants the HelpDesk group members the tools needed to do the job. You can then use group policy to push the MMC application to all members of the HelpDesk group. Just make sure you don't give them a method of editing the MMC interface. When creating users, specifying \%username% in the home folder field should automatically create the folder and grant only the new user permissions on that folder. If needed by your organization, you can also use group policy to prevent users from changing the location of My Documents from their server assigned home folder. These links should help guide you. http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true http://support.microsoft.com/?kbid=230263 http://technet2.microsoft.com/WindowsServer/en/Library/60096a04-8494-4551-bfd6-3aebadddc3fe1033.mspx?mfr=true http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true Dave Show quoteHide quote "Brian Hampson" <brian.hamp***@gmail.com> wrote in message news:1153318623.484424.235700@s13g2000cwa.googlegroups.com... > Anyone? Any ideas? Help PLEASE!!!! > > Brian Hampson wrote: >> I am trying to create a tool for new user creation so that our Help >> Desks can create users, home directories, the shares, and add them to >> groups. >> >> It was all good until I got to creating shares on the servers (some are >> DC's) I can't find ANY WAY to get around the following (in C#): >> >> System.Management.ManagementClass mc = new >> System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + >> "\\root\\cimv2", "Win32_Share", null); >> System.Management.ManagementBaseObject inParams = >> mc.GetMethodParameters("Create"); >> >> I get "Access Denied" exception when I run this as a NON-Admin user in >> the HelpDesk Group. I have given ALL rights to the WMI services to the >> "HelpDesk Group" on server which I am creating the share. It won't let >> me :( >> >> Brian Hampson >> System Administrator - North America >> ALS Laboratory Group, Environmental Division > David,
Thank you for taking the time to reply. My problem is that I want to do this all programmatically. By doing it this way, I fill in all the details (addresses/upn/email server etc) for the new user based on corporate location. The only thing the Helpdesk people should have to do is put in the user's name, and which office. My app handles the rest. I'm pretty sure I've got the delegation ALMOST working since I can create shares using the Manage Computer inferface. It appears to use a different path than the WMI path that I am attempting. Anyone know what it is? David Lee Conley wrote: Show quoteHide quote > Brian, > > I'm a little rusty on my server stuff, but have you tried creating a new > Organizational Unit (OU), assign the appropriate folder to the OU, and grant > the HelpDesk group permissions to create users and add them to groups? You > should be able search the help files on Delegating Authority to accomplish > this, or see the links below. > > Then create an MMC snap-in that grants the HelpDesk group members the tools > needed to do the job. You can then use group policy to push the MMC > application to all members of the HelpDesk group. Just make sure you don't > give them a method of editing the MMC interface. > > When creating users, specifying \%username% in the home folder field should > automatically create the folder and grant only the new user permissions on > that folder. If needed by your organization, you can also use group policy > to prevent users from changing the location of My Documents from their > server assigned home folder. > > These links should help guide you. > > http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true > http://support.microsoft.com/?kbid=230263 > http://technet2.microsoft.com/WindowsServer/en/Library/60096a04-8494-4551-bfd6-3aebadddc3fe1033.mspx?mfr=true > http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true > > Dave > > "Brian Hampson" <brian.hamp***@gmail.com> wrote in message > news:1153318623.484424.235700@s13g2000cwa.googlegroups.com... > > Anyone? Any ideas? Help PLEASE!!!! > > > > Brian Hampson wrote: > >> I am trying to create a tool for new user creation so that our Help > >> Desks can create users, home directories, the shares, and add them to > >> groups. > >> > >> It was all good until I got to creating shares on the servers (some are > >> DC's) I can't find ANY WAY to get around the following (in C#): > >> > >> System.Management.ManagementClass mc = new > >> System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > >> "\\root\\cimv2", "Win32_Share", null); > >> System.Management.ManagementBaseObject inParams = > >> mc.GetMethodParameters("Create"); > >> > >> I get "Access Denied" exception when I run this as a NON-Admin user in > >> the HelpDesk Group. I have given ALL rights to the WMI services to the > >> "HelpDesk Group" on server which I am creating the share. It won't let > >> me :( > >> > >> Brian Hampson > >> System Administrator - North America > >> ALS Laboratory Group, Environmental Division > > You will have to connect to the remote server specifying 'explicit
credentials' of an administrator on this remote server. The way you are doing, is using (through impersonation) the 'current' user's credentials to create shares on a remote server which is obviously not allowed. Search the docs for the ConnectionOptions class and it's UserName, Password and Impersonation properties. Willy. Show quoteHide quote "Brian Hampson" <brian.hamp***@gmail.com> wrote in message news:1153168265.112787.83640@h48g2000cwc.googlegroups.com... |I am trying to create a tool for new user creation so that our Help | Desks can create users, home directories, the shares, and add them to | groups. | | It was all good until I got to creating shares on the servers (some are | DC's) I can't find ANY WAY to get around the following (in C#): | | System.Management.ManagementClass mc = new | System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + | "\\root\\cimv2", "Win32_Share", null); | System.Management.ManagementBaseObject inParams = | mc.GetMethodParameters("Create"); | | I get "Access Denied" exception when I run this as a NON-Admin user in | the HelpDesk Group. I have given ALL rights to the WMI services to the | "HelpDesk Group" on server which I am creating the share. It won't let | me :( | | *** | When I log into a PC as that user, and run through computer | managemenet/attach to server and then go through "Create a new share", | it all works great... Directory is created, share is created etc. This | would indicate to me that the user has rights to do this, but that the | code being called by the tool is different than the code that _I_ am | calling :( | *** | What rights do I need for the HelpDesk Group on what aspects of what | object for this to work? What code should I call instead? I have | brick shaped dent in my forehead from this problem, and the balding | patch is growing larger from pullling all my hair out!!!! | | So, all you WMI and security gurus out there... help please. | | Thanks, | | Brian Hampson | System Administrator - North America | ALS Laboratory Group, Environmental Division | Thanks Willy,
I really needed NOT to code Admin priveledges into my code. After working with security on the WMI part of the server, I was able to do the job. Cheers! B. Willy Denoyette [MVP] wrote: Show quoteHide quote > You will have to connect to the remote server specifying 'explicit > credentials' of an administrator on this remote server. The way you are > doing, is using (through impersonation) the 'current' user's credentials to > create shares on a remote server which is obviously not allowed. > Search the docs for the ConnectionOptions class and it's UserName, Password > and Impersonation properties. > > Willy. > > > "Brian Hampson" <brian.hamp***@gmail.com> wrote in message > news:1153168265.112787.83640@h48g2000cwc.googlegroups.com... > |I am trying to create a tool for new user creation so that our Help > | Desks can create users, home directories, the shares, and add them to > | groups. > | > | It was all good until I got to creating shares on the servers (some are > | DC's) I can't find ANY WAY to get around the following (in C#): > | > | System.Management.ManagementClass mc = new > | System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > | "\\root\\cimv2", "Win32_Share", null); > | System.Management.ManagementBaseObject inParams = > | mc.GetMethodParameters("Create"); > | > | I get "Access Denied" exception when I run this as a NON-Admin user in > | the HelpDesk Group. I have given ALL rights to the WMI services to the > | "HelpDesk Group" on server which I am creating the share. It won't let > | me :( > | > | *** > | When I log into a PC as that user, and run through computer > | managemenet/attach to server and then go through "Create a new share", > | it all works great... Directory is created, share is created etc. This > | would indicate to me that the user has rights to do this, but that the > | code being called by the tool is different than the code that _I_ am > | calling :( > | *** > | What rights do I need for the HelpDesk Group on what aspects of what > | object for this to work? What code should I call instead? I have > | brick shaped dent in my forehead from this problem, and the balding > | patch is growing larger from pullling all my hair out!!!! > | > | So, all you WMI and security gurus out there... help please. > | > | Thanks, > | > | Brian Hampson > | System Administrator - North America > | ALS Laboratory Group, Environmental Division > | 
Other interesting topics
Help encrypt conn string - no ASP, no server, can't protect keys, can't use Windows Authentication
WindowsIdentity.GetCurrent().Token cannot be used when remoting? SMIME Decryption Credentials not passed on when using ASP.NET How to ByPass Protected Storage Prompt Detecting if a NTAccount is user or a group Encrypt elements in XML file System.Text.Encoding help ???? Web App Impersonation where is X509Certificate2UI |
|||||||||||||||||||||||
