|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
elevate rights within an applicationIn my company there's the need to update personal information on AD for every
users, like phone numbers and addresses. I struggle alot that only a user with domain admin privileges has the access to do those changes to AD. How can I do in .net to elevate the user rights in an application to run a few lines of code. Thanks Hello,
if the logged-on user running your application has the appropiate permissions, your code should be able to do the job (if you use integrated authentication for the directory stuff). However, if the logged on user does not have the required permission, you must get a username/password combination and impersonate that user using Win32 LogonUser. What type of application are you talking about? Web, Windows or Windows Service? Best regards, Henning Krause Show quoteHide quote "@rturo" <rt***@discussions.microsoft.com> wrote in message news:1205B3A6-57AA-41E4-868E-22F11C0A671D@microsoft.com... > In my company there's the need to update personal information on AD for > every > users, like phone numbers and addresses. > I struggle alot that only a user with domain admin privileges has the > access > to do those changes to AD. > How can I do in .net to elevate the user rights in an application to run a > few lines of code. > > Thanks Maybe it would be more appropriate to set the right ACLs on the entries this
account has to change than using clear text passwords on a client... ----- Dominick Baier (http://www.leastprivilege.com) Show quoteHide quote > Hello, > > if the logged-on user running your application has the appropiate > permissions, your code should be able to do the job (if you use > integrated authentication for the directory stuff). > > However, if the logged on user does not have the required permission, > you must get a username/password combination and impersonate that user > using Win32 LogonUser. > > What type of application are you talking about? Web, Windows or > Windows Service? > > Best regards, > Henning Krause > "@rturo" <rt***@discussions.microsoft.com> wrote in message > news:1205B3A6-57AA-41E4-868E-22F11C0A671D@microsoft.com... > >> In my company there's the need to update personal information on AD >> for >> every >> users, like phone numbers and addresses. >> I struggle alot that only a user with domain admin privileges has the >> access >> to do those changes to AD. >> How can I do in .net to elevate the user rights in an application to >> run a >> few lines of code. >> Thanks >> Of course,
but this may not be an option - have seen this in several companies... sad, but true. Best regards, Henning Krause Show quoteHide quote "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb304845168c8f87fc6a3fe70@news.microsoft.com... > Maybe it would be more appropriate to set the right ACLs on the entries > this account has to change than using clear text passwords on a client... > ----- > Dominick Baier (http://www.leastprivilege.com) > >> Hello, >> >> if the logged-on user running your application has the appropiate >> permissions, your code should be able to do the job (if you use >> integrated authentication for the directory stuff). >> >> However, if the logged on user does not have the required permission, >> you must get a username/password combination and impersonate that user >> using Win32 LogonUser. >> >> What type of application are you talking about? Web, Windows or >> Windows Service? >> >> Best regards, >> Henning Krause >> "@rturo" <rt***@discussions.microsoft.com> wrote in message >> news:1205B3A6-57AA-41E4-868E-22F11C0A671D@microsoft.com... >> >>> In my company there's the need to update personal information on AD >>> for >>> every >>> users, like phone numbers and addresses. >>> I struggle alot that only a user with domain admin privileges has the >>> access >>> to do those changes to AD. >>> How can I do in .net to elevate the user rights in an application to >>> run a >>> few lines of code. >>> Thanks >>> > > There is the problem source. If you run the ADSI Edit console (adsiedit.msc)
to edit any entry in Active Directory you will find that the SELF object only has the "Read" Permission for the AD Entry. The "Write" permission is only delegated to domain admins, exchange servers, etc. I'm able to change mine because Im a domain admin. I tried impersonation with the WindowsIdentity.Impersonate() method follwing MS guide on how to do it. Used the domain "Administrator" token to be sure i was using an account with full rights, then with mine wich i tested without impersonation also. Because the access denied error was being returned when I tried to make the changes for a limited account, i checked if the impersonation its really hapenning and its happening but i still receive the access denied message. The porpuse of my application is that every user can change only its own properties in AD. This software is not for a global management. This is a windows form application Thanks for your help Show quoteHide quote "Henning Krause [MVP - Exchange]" wrote: > Hello, > > if the logged-on user running your application has the appropiate > permissions, your code should be able to do the job (if you use integrated > authentication for the directory stuff). > > However, if the logged on user does not have the required permission, you > must get a username/password combination and impersonate that user using > Win32 LogonUser. > > What type of application are you talking about? Web, Windows or Windows > Service? > > Best regards, > Henning Krause > > "@rturo" <rt***@discussions.microsoft.com> wrote in message > news:1205B3A6-57AA-41E4-868E-22F11C0A671D@microsoft.com... > > In my company there's the need to update personal information on AD for > > every > > users, like phone numbers and addresses. > > I struggle alot that only a user with domain admin privileges has the > > access > > to do those changes to AD. > > How can I do in .net to elevate the user rights in an application to run a > > few lines of code. > > > > Thanks > > It should be possible to impersonate a higher privileged user to do the work
you need to do. Can you show a short example of the code that is not working? Perhaps you are doing something wrong? Note that it is also possible to delegate permissions to a different account to update the attributes in question without using the domain admin account. AD is very flexible in this regard and using the domain admin account when it is not really needed is a security risk. A better design overall might be to instruct the user to simply use "runas" to launch the Windows application as a privileged user (perhaps domain admin or something else) and let the process credentials take care of things. That way, no impersonation in code is required and you never have to handle the sensitive password. Another thing worth noting with ADSI/System.DirectoryServices is that you don't really need to impersonate to connect to the directory with alternate credentials. If you have the alternate credentials, you can simply pass those into the DirectoryEntry constructor and it will work fine. This may be less complicated than impersonating. We cover a lot of these details in ch 3 and 8 in our book (see link in sig). Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "@rturo" <rt***@discussions.microsoft.com> wrote in message news:E0DA2A35-C4FD-43A3-8D69-2C094B13333C@microsoft.com... > There is the problem source. If you run the ADSI Edit console > (adsiedit.msc) > to edit any entry in Active Directory you will find that the SELF object > only > has the "Read" Permission for the AD Entry. The "Write" permission is only > delegated to domain admins, exchange servers, etc. I'm able to change mine > because Im a domain admin. > > I tried impersonation with the WindowsIdentity.Impersonate() method > follwing > MS guide on how to do it. Used the domain "Administrator" token to be sure > i > was using an account with full rights, then with mine wich i tested > without > impersonation also. > > Because the access denied error was being returned when I tried to make > the > changes for a limited account, i checked if the impersonation its really > hapenning and its happening but i still receive the access denied message. > > The porpuse of my application is that every user can change only its own > properties in AD. This software is not for a global management. > > This is a windows form application > > Thanks for your help > > "Henning Krause [MVP - Exchange]" wrote: > >> Hello, >> >> if the logged-on user running your application has the appropiate >> permissions, your code should be able to do the job (if you use >> integrated >> authentication for the directory stuff). >> >> However, if the logged on user does not have the required permission, you >> must get a username/password combination and impersonate that user using >> Win32 LogonUser. >> >> What type of application are you talking about? Web, Windows or Windows >> Service? >> >> Best regards, >> Henning Krause >> >> "@rturo" <rt***@discussions.microsoft.com> wrote in message >> news:1205B3A6-57AA-41E4-868E-22F11C0A671D@microsoft.com... >> > In my company there's the need to update personal information on AD for >> > every >> > users, like phone numbers and addresses. >> > I struggle alot that only a user with domain admin privileges has the >> > access >> > to do those changes to AD. >> > How can I do in .net to elevate the user rights in an application to >> > run a >> > few lines of code. >> > >> > Thanks >> >> 
Other interesting topics
Error importing key - object already exists.
SslStream and Certificates - Not Supported Exception. Role-based-Security... just switch it off How to retrieve the domain name for an AD user object? Securing Web Servicesq SslStream.AuthenticateAsClient is slow (calling the RemoteCertificateValidationCallback) Local Security Policies Adminstrator User Disappeared SignedXml - ds prefix Problem with dataGrid! |
|||||||||||||||||||||||
