|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
GetOwner and IdentityNotMappedExceptionI am trying to use the following lines of code to get the owner of a directory: FileSystemSecurity security = new DirectorySecurity(folder, AccessControlSections.Owner); NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); Some of the directories in question are owned by users belonging to a different domain. For those directories the code fails with IdentityNotMappedException. If I use SecurityIdentifier instead of NTAccount the code works but SecurityIdentifier only provides the SID of the owner. How do I map these SIDs to domain and username? (if I take a look at the security settings through Explorer I can see the owner's domain and username). Any help is very much appreciated. Thanks. Best regards, Jakob. Hello,
you can use LDAP to look-up the sid (perform a search over the GC and search for objectSid = <sid-value>). Best regards, Henning Krause Show quoteHide quote "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > Hi all, > > I am trying to use the following lines of code to get the owner of a > directory: > > FileSystemSecurity security = new DirectorySecurity(folder, > AccessControlSections.Owner); > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); > > Some of the directories in question are owned by users belonging to a > different domain. For those directories the code fails with > IdentityNotMappedException. If I use SecurityIdentifier instead of > NTAccount > the code works but SecurityIdentifier only provides the SID of the owner. > How do I map these SIDs to domain and username? (if I take a look at the > security settings through Explorer I can see the owner's domain and > username). > > Any help is very much appreciated. Thanks. > > Best regards, Jakob. > > -- > http://www.dotninjas.dk > Hey Henning,
Thank you for your reply. Will this work even though the users belong to a different domain that I cannot access? Kind regards, Jakob. Show quoteHide quote "Henning Krause [MVP - Exchange]" wrote: > Hello, > > you can use LDAP to look-up the sid (perform a search over the GC and search > for objectSid = <sid-value>). > > Best regards, > Henning Krause > > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > > Hi all, > > > > I am trying to use the following lines of code to get the owner of a > > directory: > > > > FileSystemSecurity security = new DirectorySecurity(folder, > > AccessControlSections.Owner); > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); > > > > Some of the directories in question are owned by users belonging to a > > different domain. For those directories the code fails with > > IdentityNotMappedException. If I use SecurityIdentifier instead of > > NTAccount > > the code works but SecurityIdentifier only provides the SID of the owner. > > How do I map these SIDs to domain and username? (if I take a look at the > > security settings through Explorer I can see the owner's domain and > > username). > > > > Any help is very much appreciated. Thanks. > > > > Best regards, Jakob. > > > > -- > > http://www.dotninjas.dk > > > > Hello,
well, you'll need at least read access on the other domain. Is the other domain in the same forest or is it a different forest with a cross-forest trust? Best regards, Henning Krause Show quoteHide quote "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message news:E038D78E-D6BE-4FFA-8EEE-A0508B142F5C@microsoft.com... > Hey Henning, > > Thank you for your reply. > > Will this work even though the users belong to a different domain that I > cannot access? > > Kind regards, Jakob. > > -- > http://www.dotninjas.dk > > > > "Henning Krause [MVP - Exchange]" wrote: > >> Hello, >> >> you can use LDAP to look-up the sid (perform a search over the GC and >> search >> for objectSid = <sid-value>). >> >> Best regards, >> Henning Krause >> >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... >> > Hi all, >> > >> > I am trying to use the following lines of code to get the owner of a >> > directory: >> > >> > FileSystemSecurity security = new DirectorySecurity(folder, >> > AccessControlSections.Owner); >> > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); >> > >> > Some of the directories in question are owned by users belonging to a >> > different domain. For those directories the code fails with >> > IdentityNotMappedException. If I use SecurityIdentifier instead of >> > NTAccount >> > the code works but SecurityIdentifier only provides the SID of the >> > owner. >> > How do I map these SIDs to domain and username? (if I take a look at >> > the >> > security settings through Explorer I can see the owner's domain and >> > username). >> > >> > Any help is very much appreciated. Thanks. >> > >> > Best regards, Jakob. >> > >> > -- >> > http://www.dotninjas.dk >> > >> >> I think I was a bit hasty on this one. After taking a closer look it seems
that I am only getting IdentityNotMappedException for folders where the owner is actually shown as a SID in the security settings viewed from Explorer. So I may not have a problem after all. Sorry for any inconvenience and thanks for your help. Regards, Jakob. Show quoteHide quote "Jakob Christensen" wrote: > Hey Henning, > > Thank you for your reply. > > Will this work even though the users belong to a different domain that I > cannot access? > > Kind regards, Jakob. > > -- > http://www.dotninjas.dk > > > > "Henning Krause [MVP - Exchange]" wrote: > > > Hello, > > > > you can use LDAP to look-up the sid (perform a search over the GC and search > > for objectSid = <sid-value>). > > > > Best regards, > > Henning Krause > > > > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > > > Hi all, > > > > > > I am trying to use the following lines of code to get the owner of a > > > directory: > > > > > > FileSystemSecurity security = new DirectorySecurity(folder, > > > AccessControlSections.Owner); > > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); > > > > > > Some of the directories in question are owned by users belonging to a > > > different domain. For those directories the code fails with > > > IdentityNotMappedException. If I use SecurityIdentifier instead of > > > NTAccount > > > the code works but SecurityIdentifier only provides the SID of the owner. > > > How do I map these SIDs to domain and username? (if I take a look at the > > > security settings through Explorer I can see the owner's domain and > > > username). > > > > > > Any help is very much appreciated. Thanks. > > > > > > Best regards, Jakob. > > > > > > -- > > > http://www.dotninjas.dk > > > > > > > That makes a lot more sense. Typically, if the OS can resolve the SID in
the UI, the .NET code can too beause they basically call into the same OS function to do the work. Sometimes things can get weird if different accounts are used to execute the same code, but in this case I would expect not. Do you know if the objects that show up as SIDs are really from a foreign domain you can't access, or might they be references to objects that have been deleted? Those are often harder to track down. In any event, it is a good idea to make sure you code expects this particular exception, as it can happen at any time and isn't that uncommon, especially when deleted security principals are involved. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... >I think I was a bit hasty on this one. After taking a closer look it seems > that I am only getting IdentityNotMappedException for folders where the > owner > is actually shown as a SID in the security settings viewed from Explorer. > So > I may not have a problem after all. > > Sorry for any inconvenience and thanks for your help. > > Regards, Jakob. > > -- > http://www.dotninjas.dk > > > > "Jakob Christensen" wrote: > >> Hey Henning, >> >> Thank you for your reply. >> >> Will this work even though the users belong to a different domain that I >> cannot access? >> >> Kind regards, Jakob. >> >> -- >> http://www.dotninjas.dk >> >> >> >> "Henning Krause [MVP - Exchange]" wrote: >> >> > Hello, >> > >> > you can use LDAP to look-up the sid (perform a search over the GC and >> > search >> > for objectSid = <sid-value>). >> > >> > Best regards, >> > Henning Krause >> > >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... >> > > Hi all, >> > > >> > > I am trying to use the following lines of code to get the owner of a >> > > directory: >> > > >> > > FileSystemSecurity security = new DirectorySecurity(folder, >> > > AccessControlSections.Owner); >> > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); >> > > >> > > Some of the directories in question are owned by users belonging to a >> > > different domain. For those directories the code fails with >> > > IdentityNotMappedException. If I use SecurityIdentifier instead of >> > > NTAccount >> > > the code works but SecurityIdentifier only provides the SID of the >> > > owner. >> > > How do I map these SIDs to domain and username? (if I take a look at >> > > the >> > > security settings through Explorer I can see the owner's domain and >> > > username). >> > > >> > > Any help is very much appreciated. Thanks. >> > > >> > > Best regards, Jakob. >> > > >> > > -- >> > > http://www.dotninjas.dk >> > > >> > >> > Hey Joe,
Thanks for your answer. I am still having problems translating some of the objects that do not show up as SIDs. The ones that do show up as SIDs are probably references to deleted objects on the other domain. I may try to run my code under a different account with domain administrators rights. Thanks, Jakob. Show quoteHide quote > That makes a lot more sense. Typically, if the OS can resolve the SID in > the UI, the .NET code can too beause they basically call into the same OS > function to do the work. Sometimes things can get weird if different > accounts are used to execute the same code, but in this case I would expect > not. > > Do you know if the objects that show up as SIDs are really from a foreign > domain you can't access, or might they be references to objects that have > been deleted? Those are often harder to track down. > > In any event, it is a good idea to make sure you code expects this > particular exception, as it can happen at any time and isn't that uncommon, > especially when deleted security principals are involved. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... > >I think I was a bit hasty on this one. After taking a closer look it seems > > that I am only getting IdentityNotMappedException for folders where the > > owner > > is actually shown as a SID in the security settings viewed from Explorer. > > So > > I may not have a problem after all. > > > > Sorry for any inconvenience and thanks for your help. > > > > Regards, Jakob. > > > > -- > > http://www.dotninjas.dk > > > > > > > > "Jakob Christensen" wrote: > > > >> Hey Henning, > >> > >> Thank you for your reply. > >> > >> Will this work even though the users belong to a different domain that I > >> cannot access? > >> > >> Kind regards, Jakob. > >> > >> -- > >> http://www.dotninjas.dk > >> > >> > >> > >> "Henning Krause [MVP - Exchange]" wrote: > >> > >> > Hello, > >> > > >> > you can use LDAP to look-up the sid (perform a search over the GC and > >> > search > >> > for objectSid = <sid-value>). > >> > > >> > Best regards, > >> > Henning Krause > >> > > >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > >> > > Hi all, > >> > > > >> > > I am trying to use the following lines of code to get the owner of a > >> > > directory: > >> > > > >> > > FileSystemSecurity security = new DirectorySecurity(folder, > >> > > AccessControlSections.Owner); > >> > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); > >> > > > >> > > Some of the directories in question are owned by users belonging to a > >> > > different domain. For those directories the code fails with > >> > > IdentityNotMappedException. If I use SecurityIdentifier instead of > >> > > NTAccount > >> > > the code works but SecurityIdentifier only provides the SID of the > >> > > owner. > >> > > How do I map these SIDs to domain and username? (if I take a look at > >> > > the > >> > > security settings through Explorer I can see the owner's domain and > >> > > username). > >> > > > >> > > Any help is very much appreciated. Thanks. > >> > > > >> > > Best regards, Jakob. > >> > > > >> > > -- > >> > > http://www.dotninjas.dk > >> > > > >> > > >> > > > > That's the only thing I can think to do. If the Windows UI can translate
the SID, then the .NET code should be able to also, all things being equal. To make sure they are equal, try to make sure the code executes with the same security context that you are using in the Windows UI (whatever you logged in with). Best of luck! Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message news:A1EC4C82-0A27-4AFF-8BF5-B87289DF2398@microsoft.com... > Hey Joe, > > Thanks for your answer. > > I am still having problems translating some of the objects that do not > show > up as SIDs. The ones that do show up as SIDs are probably references to > deleted objects on the other domain. > > I may try to run my code under a different account with domain > administrators rights. > > Thanks, Jakob. > >> That makes a lot more sense. Typically, if the OS can resolve the SID in >> the UI, the .NET code can too beause they basically call into the same OS >> function to do the work. Sometimes things can get weird if different >> accounts are used to execute the same code, but in this case I would >> expect >> not. >> > >> Do you know if the objects that show up as SIDs are really from a foreign >> domain you can't access, or might they be references to objects that have >> been deleted? Those are often harder to track down. >> >> In any event, it is a good idea to make sure you code expects this >> particular exception, as it can happen at any time and isn't that >> uncommon, >> especially when deleted security principals are involved. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... >> >I think I was a bit hasty on this one. After taking a closer look it >> >seems >> > that I am only getting IdentityNotMappedException for folders where the >> > owner >> > is actually shown as a SID in the security settings viewed from >> > Explorer. >> > So >> > I may not have a problem after all. >> > >> > Sorry for any inconvenience and thanks for your help. >> > >> > Regards, Jakob. >> > >> > -- >> > http://www.dotninjas.dk >> > >> > >> > >> > "Jakob Christensen" wrote: >> > >> >> Hey Henning, >> >> >> >> Thank you for your reply. >> >> >> >> Will this work even though the users belong to a different domain that >> >> I >> >> cannot access? >> >> >> >> Kind regards, Jakob. >> >> >> >> -- >> >> http://www.dotninjas.dk >> >> >> >> >> >> >> >> "Henning Krause [MVP - Exchange]" wrote: >> >> >> >> > Hello, >> >> > >> >> > you can use LDAP to look-up the sid (perform a search over the GC >> >> > and >> >> > search >> >> > for objectSid = <sid-value>). >> >> > >> >> > Best regards, >> >> > Henning Krause >> >> > >> >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... >> >> > > Hi all, >> >> > > >> >> > > I am trying to use the following lines of code to get the owner of >> >> > > a >> >> > > directory: >> >> > > >> >> > > FileSystemSecurity security = new DirectorySecurity(folder, >> >> > > AccessControlSections.Owner); >> >> > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); >> >> > > >> >> > > Some of the directories in question are owned by users belonging >> >> > > to a >> >> > > different domain. For those directories the code fails with >> >> > > IdentityNotMappedException. If I use SecurityIdentifier instead >> >> > > of >> >> > > NTAccount >> >> > > the code works but SecurityIdentifier only provides the SID of the >> >> > > owner. >> >> > > How do I map these SIDs to domain and username? (if I take a look >> >> > > at >> >> > > the >> >> > > security settings through Explorer I can see the owner's domain >> >> > > and >> >> > > username). >> >> > > >> >> > > Any help is very much appreciated. Thanks. >> >> > > >> >> > > Best regards, Jakob. >> >> > > >> >> > > -- >> >> > > http://www.dotninjas.dk >> >> > > >> >> > >> >> > >> >> >> Hey Joe,
Thanks for your answer. I have not found a solution to this yet. I tried running the code under different users which did not change anything. Right now, I have no idea how to solve it :-) Best regards, Jakob. Show quoteHide quote "Joe Kaplan" wrote: > That's the only thing I can think to do. If the Windows UI can translate > the SID, then the .NET code should be able to also, all things being equal. > To make sure they are equal, try to make sure the code executes with the > same security context that you are using in the Windows UI (whatever you > logged in with). > > Best of luck! > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > news:A1EC4C82-0A27-4AFF-8BF5-B87289DF2398@microsoft.com... > > Hey Joe, > > > > Thanks for your answer. > > > > I am still having problems translating some of the objects that do not > > show > > up as SIDs. The ones that do show up as SIDs are probably references to > > deleted objects on the other domain. > > > > I may try to run my code under a different account with domain > > administrators rights. > > > > Thanks, Jakob. > > > >> That makes a lot more sense. Typically, if the OS can resolve the SID in > >> the UI, the .NET code can too beause they basically call into the same OS > >> function to do the work. Sometimes things can get weird if different > >> accounts are used to execute the same code, but in this case I would > >> expect > >> not. > >> > > > >> Do you know if the objects that show up as SIDs are really from a foreign > >> domain you can't access, or might they be references to objects that have > >> been deleted? Those are often harder to track down. > >> > >> In any event, it is a good idea to make sure you code expects this > >> particular exception, as it can happen at any time and isn't that > >> uncommon, > >> especially when deleted security principals are involved. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... > >> >I think I was a bit hasty on this one. After taking a closer look it > >> >seems > >> > that I am only getting IdentityNotMappedException for folders where the > >> > owner > >> > is actually shown as a SID in the security settings viewed from > >> > Explorer. > >> > So > >> > I may not have a problem after all. > >> > > >> > Sorry for any inconvenience and thanks for your help. > >> > > >> > Regards, Jakob. > >> > > >> > -- > >> > http://www.dotninjas.dk > >> > > >> > > >> > > >> > "Jakob Christensen" wrote: > >> > > >> >> Hey Henning, > >> >> > >> >> Thank you for your reply. > >> >> > >> >> Will this work even though the users belong to a different domain that > >> >> I > >> >> cannot access? > >> >> > >> >> Kind regards, Jakob. > >> >> > >> >> -- > >> >> http://www.dotninjas.dk > >> >> > >> >> > >> >> > >> >> "Henning Krause [MVP - Exchange]" wrote: > >> >> > >> >> > Hello, > >> >> > > >> >> > you can use LDAP to look-up the sid (perform a search over the GC > >> >> > and > >> >> > search > >> >> > for objectSid = <sid-value>). > >> >> > > >> >> > Best regards, > >> >> > Henning Krause > >> >> > > >> >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > >> >> > > Hi all, > >> >> > > > >> >> > > I am trying to use the following lines of code to get the owner of > >> >> > > a > >> >> > > directory: > >> >> > > > >> >> > > FileSystemSecurity security = new DirectorySecurity(folder, > >> >> > > AccessControlSections.Owner); > >> >> > > NTAccount acc = (NTAccount) security.GetOwner(typeof(NTAccount)); > >> >> > > > >> >> > > Some of the directories in question are owned by users belonging > >> >> > > to a > >> >> > > different domain. For those directories the code fails with > >> >> > > IdentityNotMappedException. If I use SecurityIdentifier instead > >> >> > > of > >> >> > > NTAccount > >> >> > > the code works but SecurityIdentifier only provides the SID of the > >> >> > > owner. > >> >> > > How do I map these SIDs to domain and username? (if I take a look > >> >> > > at > >> >> > > the > >> >> > > security settings through Explorer I can see the owner's domain > >> >> > > and > >> >> > > username). > >> >> > > > >> >> > > Any help is very much appreciated. Thanks. > >> >> > > > >> >> > > Best regards, Jakob. > >> >> > > > >> >> > > -- > >> >> > > http://www.dotninjas.dk > >> >> > > > >> >> > > >> >> > > >> > >> > >> > > > Hello Jakob,
just to be clear on this - the Windows Explorer also only displays the SID in thos cases where you get an IdentityNotMappedException? Or do you have some cases where Windows can display the username but your program cannot? Best regards, Henning Krause Show quoteHide quote "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message news:A891697F-DA52-4D76-8CB0-349587676998@microsoft.com... > Hey Joe, > > Thanks for your answer. > > I have not found a solution to this yet. I tried running the code under > different users which did not change anything. Right now, I have no idea > how > to solve it :-) > > Best regards, Jakob. > > > "Joe Kaplan" wrote: > >> That's the only thing I can think to do. If the Windows UI can translate >> the SID, then the .NET code should be able to also, all things being >> equal. >> To make sure they are equal, try to make sure the code executes with the >> same security context that you are using in the Windows UI (whatever you >> logged in with). >> >> Best of luck! >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> news:A1EC4C82-0A27-4AFF-8BF5-B87289DF2398@microsoft.com... >> > Hey Joe, >> > >> > Thanks for your answer. >> > >> > I am still having problems translating some of the objects that do not >> > show >> > up as SIDs. The ones that do show up as SIDs are probably references >> > to >> > deleted objects on the other domain. >> > >> > I may try to run my code under a different account with domain >> > administrators rights. >> > >> > Thanks, Jakob. >> > >> >> That makes a lot more sense. Typically, if the OS can resolve the SID >> >> in >> >> the UI, the .NET code can too beause they basically call into the same >> >> OS >> >> function to do the work. Sometimes things can get weird if different >> >> accounts are used to execute the same code, but in this case I would >> >> expect >> >> not. >> >> >> > >> >> Do you know if the objects that show up as SIDs are really from a >> >> foreign >> >> domain you can't access, or might they be references to objects that >> >> have >> >> been deleted? Those are often harder to track down. >> >> >> >> In any event, it is a good idea to make sure you code expects this >> >> particular exception, as it can happen at any time and isn't that >> >> uncommon, >> >> especially when deleted security principals are involved. >> >> >> >> Joe K. >> >> >> >> -- >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> Programming" >> >> http://www.directoryprogramming.net >> >> -- >> >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> >> news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... >> >> >I think I was a bit hasty on this one. After taking a closer look it >> >> >seems >> >> > that I am only getting IdentityNotMappedException for folders where >> >> > the >> >> > owner >> >> > is actually shown as a SID in the security settings viewed from >> >> > Explorer. >> >> > So >> >> > I may not have a problem after all. >> >> > >> >> > Sorry for any inconvenience and thanks for your help. >> >> > >> >> > Regards, Jakob. >> >> > >> >> > -- >> >> > http://www.dotninjas.dk >> >> > >> >> > >> >> > >> >> > "Jakob Christensen" wrote: >> >> > >> >> >> Hey Henning, >> >> >> >> >> >> Thank you for your reply. >> >> >> >> >> >> Will this work even though the users belong to a different domain >> >> >> that >> >> >> I >> >> >> cannot access? >> >> >> >> >> >> Kind regards, Jakob. >> >> >> >> >> >> -- >> >> >> http://www.dotninjas.dk >> >> >> >> >> >> >> >> >> >> >> >> "Henning Krause [MVP - Exchange]" wrote: >> >> >> >> >> >> > Hello, >> >> >> > >> >> >> > you can use LDAP to look-up the sid (perform a search over the GC >> >> >> > and >> >> >> > search >> >> >> > for objectSid = <sid-value>). >> >> >> > >> >> >> > Best regards, >> >> >> > Henning Krause >> >> >> > >> >> >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message >> >> >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... >> >> >> > > Hi all, >> >> >> > > >> >> >> > > I am trying to use the following lines of code to get the owner >> >> >> > > of >> >> >> > > a >> >> >> > > directory: >> >> >> > > >> >> >> > > FileSystemSecurity security = new DirectorySecurity(folder, >> >> >> > > AccessControlSections.Owner); >> >> >> > > NTAccount acc = (NTAccount) >> >> >> > > security.GetOwner(typeof(NTAccount)); >> >> >> > > >> >> >> > > Some of the directories in question are owned by users >> >> >> > > belonging >> >> >> > > to a >> >> >> > > different domain. For those directories the code fails with >> >> >> > > IdentityNotMappedException. If I use SecurityIdentifier >> >> >> > > instead >> >> >> > > of >> >> >> > > NTAccount >> >> >> > > the code works but SecurityIdentifier only provides the SID of >> >> >> > > the >> >> >> > > owner. >> >> >> > > How do I map these SIDs to domain and username? (if I take a >> >> >> > > look >> >> >> > > at >> >> >> > > the >> >> >> > > security settings through Explorer I can see the owner's domain >> >> >> > > and >> >> >> > > username). >> >> >> > > >> >> >> > > Any help is very much appreciated. Thanks. >> >> >> > > >> >> >> > > Best regards, Jakob. >> >> >> > > >> >> >> > > -- >> >> >> > > http://www.dotninjas.dk >> >> >> > > >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> Hey Henning,
I admit I have been giving some misleading information on this :-) I do have several cases where Windows can display the username and my program can not. Our domain (Windows 2003) is trusted by the other domain (NT4). Any ideas? Best regards, Jakob. Show quoteHide quote "Henning Krause [MVP - Exchange]" wrote: > Hello Jakob, > > just to be clear on this - the Windows Explorer also only displays the SID > in thos cases where you get an IdentityNotMappedException? > > Or do you have some cases where Windows can display the username but your > program cannot? > > Best regards, > Henning Krause > > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > news:A891697F-DA52-4D76-8CB0-349587676998@microsoft.com... > > Hey Joe, > > > > Thanks for your answer. > > > > I have not found a solution to this yet. I tried running the code under > > different users which did not change anything. Right now, I have no idea > > how > > to solve it :-) > > > > Best regards, Jakob. > > > > > > "Joe Kaplan" wrote: > > > >> That's the only thing I can think to do. If the Windows UI can translate > >> the SID, then the .NET code should be able to also, all things being > >> equal. > >> To make sure they are equal, try to make sure the code executes with the > >> same security context that you are using in the Windows UI (whatever you > >> logged in with). > >> > >> Best of luck! > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> news:A1EC4C82-0A27-4AFF-8BF5-B87289DF2398@microsoft.com... > >> > Hey Joe, > >> > > >> > Thanks for your answer. > >> > > >> > I am still having problems translating some of the objects that do not > >> > show > >> > up as SIDs. The ones that do show up as SIDs are probably references > >> > to > >> > deleted objects on the other domain. > >> > > >> > I may try to run my code under a different account with domain > >> > administrators rights. > >> > > >> > Thanks, Jakob. > >> > > >> >> That makes a lot more sense. Typically, if the OS can resolve the SID > >> >> in > >> >> the UI, the .NET code can too beause they basically call into the same > >> >> OS > >> >> function to do the work. Sometimes things can get weird if different > >> >> accounts are used to execute the same code, but in this case I would > >> >> expect > >> >> not. > >> >> > >> > > >> >> Do you know if the objects that show up as SIDs are really from a > >> >> foreign > >> >> domain you can't access, or might they be references to objects that > >> >> have > >> >> been deleted? Those are often harder to track down. > >> >> > >> >> In any event, it is a good idea to make sure you code expects this > >> >> particular exception, as it can happen at any time and isn't that > >> >> uncommon, > >> >> especially when deleted security principals are involved. > >> >> > >> >> Joe K. > >> >> > >> >> -- > >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> Programming" > >> >> http://www.directoryprogramming.net > >> >> -- > >> >> "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> >> news:F1B5656F-DA92-4858-9179-305BC032BFBE@microsoft.com... > >> >> >I think I was a bit hasty on this one. After taking a closer look it > >> >> >seems > >> >> > that I am only getting IdentityNotMappedException for folders where > >> >> > the > >> >> > owner > >> >> > is actually shown as a SID in the security settings viewed from > >> >> > Explorer. > >> >> > So > >> >> > I may not have a problem after all. > >> >> > > >> >> > Sorry for any inconvenience and thanks for your help. > >> >> > > >> >> > Regards, Jakob. > >> >> > > >> >> > -- > >> >> > http://www.dotninjas.dk > >> >> > > >> >> > > >> >> > > >> >> > "Jakob Christensen" wrote: > >> >> > > >> >> >> Hey Henning, > >> >> >> > >> >> >> Thank you for your reply. > >> >> >> > >> >> >> Will this work even though the users belong to a different domain > >> >> >> that > >> >> >> I > >> >> >> cannot access? > >> >> >> > >> >> >> Kind regards, Jakob. > >> >> >> > >> >> >> -- > >> >> >> http://www.dotninjas.dk > >> >> >> > >> >> >> > >> >> >> > >> >> >> "Henning Krause [MVP - Exchange]" wrote: > >> >> >> > >> >> >> > Hello, > >> >> >> > > >> >> >> > you can use LDAP to look-up the sid (perform a search over the GC > >> >> >> > and > >> >> >> > search > >> >> >> > for objectSid = <sid-value>). > >> >> >> > > >> >> >> > Best regards, > >> >> >> > Henning Krause > >> >> >> > > >> >> >> > "Jakob Christensen" <j**@REMOVEpension.dk> wrote in message > >> >> >> > news:5A2BCD0F-3DFE-4E13-A098-3FAFBEFC2A28@microsoft.com... > >> >> >> > > Hi all, > >> >> >> > > > >> >> >> > > I am trying to use the following lines of code to get the owner > >> >> >> > > of > >> >> >> > > a > >> >> >> > > directory: > >> >> >> > > > >> >> >> > > FileSystemSecurity security = new DirectorySecurity(folder, > >> >> >> > > AccessControlSections.Owner); > >> >> >> > > NTAccount acc = (NTAccount) > >> >> >> > > security.GetOwner(typeof(NTAccount)); > >> >> >> > > > >> >> >> > > Some of the directories in question are owned by users > >> >> >> > > belonging > >> >> >> > > to a > >> >> >> > > different domain. For those directories the code fails with > >> >> >> > > IdentityNotMappedException. If I use SecurityIdentifier > >> >> >> > > instead > >> >> >> > > of > >> >> >> > > NTAccount > >> >> >> > > the code works but SecurityIdentifier only provides the SID of > >> >> >> > > the > >> >> >> > > owner. > >> >> >> > > How do I map these SIDs to domain and username? (if I take a > >> >> >> > > look > >> >> >> > > at > >> >> >> > > the > >> >> >> > > security settings through Explorer I can see the owner's domain > >> >> >> > > and > >> >> >> > > username). > >> >> >> > > > >> >> >> > > Any help is very much appreciated. Thanks. > >> >> >> > > > >> >> >> > > Best regards, Jakob. > >> >> >> > > > >> >> >> > > -- > >> >> >> > > http://www.dotninjas.dk > >> >> >> > > > >> >> >> > > >> >> >> > > >> >> > >> >> > >> >> > >> > >> > >> > > 
Other interesting topics
regarding retrival of server certificate
Permissions on Event Log? SecurityException: Request failed in LoadControl Config Info in DMZ Thread.CurrentPrincipal still returns GenericPrincipal Extract Public Key From certificate and RSACryptoServiceProvider Encrypt custom ConfigurationSection in .Net 2.0 Making web services secure Version of free virus protection from MSN. Why do makecert.exe certificates suffer performance issues? |
|||||||||||||||||||||||
