|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
SetOwner problem?I'm having a problem using DirectorySecurity.SetOwner int DotNet. I'm using
the following very simple code: DirectoryInfo dInfo = new DirectoryInfo(strFolder); DirectorySecurity oDirectorySecurity = dInfo.GetAccessControl(AccessControlSections.Owner); oDirectorySecurity.SetOwner(new NTAccount(strUser)); dInfo.SetAccessControl(oDirectorySecurity); But th SetAccessControl throws an System.InvalidOperationException with the following message: "The security identifier is not allowed to be the owner of this object.". Any idea what the problem is and hopefully a solution? Thanks, -Brian Windows pretty much only allows ownership to be accepted by a user, not
assigned to another user (see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsunown.mspx for relevant details). Basically, unless your target user is the account under which the code is running (and that user has "take ownership" permission on the directory), you should expect the SetOwner call to fail. (The one exception that I know of is that an administrator can take ownership on behalf of the administrators group, but that's presumably not relevant to your problem given that you're using accounts, not groups.) Show quoteHide quote "Brian Kirkegaard" <bk***@aod.aau.dk> wrote in message news:eZm00%23vqFHA.2540@TK2MSFTNGP09.phx.gbl... > I'm having a problem using DirectorySecurity.SetOwner int DotNet. I'm > using the following very simple code: > > DirectoryInfo dInfo = new DirectoryInfo(strFolder); > DirectorySecurity oDirectorySecurity = > dInfo.GetAccessControl(AccessControlSections.Owner); > oDirectorySecurity.SetOwner(new NTAccount(strUser)); > dInfo.SetAccessControl(oDirectorySecurity); > > But th SetAccessControl throws an System.InvalidOperationException with > the following message: > "The security identifier is not allowed to be the owner of this object.". > > Any idea what the problem is and hopefully a solution? > > Thanks, > -Brian > Thanks for your reply,
I forgot to say that I'm using using it on Windows Server 2003, which allows setting of ownership to another user than the current user (provided the right security rights). The setting of ownership can be done directly from the graphical userinterface using the "Advanced Security Settings" dialog from Properties/Security. I've also successfully been using the ADsSecurityUtility object: Set sd = sdUtil.GetSecurityDescriptor(strFolder, ADS_PATH_FILE, ADS_SD_FORMAT_IID ) sd.Owner = strUser sdUtil.SetSecurityDescriptor strFolder, ADS_PATH_FILE, sd, ADS_SD_FORMAT_IID This code works quite well, but I would very much like to use the DirectorySecurity object! Thanks, -Brian Show quoteHide quote "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:%23pjdQ1wqFHA.3720@TK2MSFTNGP14.phx.gbl... > Windows pretty much only allows ownership to be accepted by a user, not > assigned to another user (see > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsunown.mspx > for relevant details). Basically, unless your target user is the account > under which the code is running (and that user has "take ownership" > permission on the directory), you should expect the SetOwner call to fail. > (The one exception that I know of is that an administrator can take > ownership on behalf of the administrators group, but that's presumably not > relevant to your problem given that you're using accounts, not groups.) > > > > > "Brian Kirkegaard" <bk***@aod.aau.dk> wrote in message > news:eZm00%23vqFHA.2540@TK2MSFTNGP09.phx.gbl... >> I'm having a problem using DirectorySecurity.SetOwner int DotNet. I'm >> using the following very simple code: >> >> DirectoryInfo dInfo = new DirectoryInfo(strFolder); >> DirectorySecurity oDirectorySecurity = >> dInfo.GetAccessControl(AccessControlSections.Owner); >> oDirectorySecurity.SetOwner(new NTAccount(strUser)); >> dInfo.SetAccessControl(oDirectorySecurity); >> >> But th SetAccessControl throws an System.InvalidOperationException with >> the following message: >> "The security identifier is not allowed to be the owner of this object.". >> >> Any idea what the problem is and hopefully a solution? >> >> Thanks, >> -Brian >> > > Unfortunately, I don't have the 2.0 beta running on a Windows 2003 system at
the moment, so I can't try to repro. However, if you're sure that the attempted ownership assignment should be permitted, it would seem likely that you've stumbled upon a bug, and it might be a good idea to report it at http://lab.msdn.microsoft.com/productfeedback/. Show quoteHide quote "Brian Kirkegaard" <bk***@aod.aau.dk> wrote in message news:eADMvJxqFHA.3444@TK2MSFTNGP12.phx.gbl... > Thanks for your reply, > > I forgot to say that I'm using using it on Windows Server 2003, which > allows setting of ownership to another user than the current user > (provided the right security rights). > > The setting of ownership can be done directly from the graphical > userinterface using the "Advanced Security Settings" dialog from > Properties/Security. I've also successfully been using the > ADsSecurityUtility object: > > Set sd = sdUtil.GetSecurityDescriptor(strFolder, ADS_PATH_FILE, > ADS_SD_FORMAT_IID ) > sd.Owner = strUser > sdUtil.SetSecurityDescriptor strFolder, ADS_PATH_FILE, sd, > ADS_SD_FORMAT_IID > > This code works quite well, but I would very much like to use the > DirectorySecurity object! > > Thanks, > -Brian > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:%23pjdQ1wqFHA.3720@TK2MSFTNGP14.phx.gbl... >> Windows pretty much only allows ownership to be accepted by a user, not >> assigned to another user (see >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsunown.mspx >> for relevant details). Basically, unless your target user is the account >> under which the code is running (and that user has "take ownership" >> permission on the directory), you should expect the SetOwner call to >> fail. (The one exception that I know of is that an administrator can take >> ownership on behalf of the administrators group, but that's presumably >> not relevant to your problem given that you're using accounts, not >> groups.) >> >> >> >> >> "Brian Kirkegaard" <bk***@aod.aau.dk> wrote in message >> news:eZm00%23vqFHA.2540@TK2MSFTNGP09.phx.gbl... >>> I'm having a problem using DirectorySecurity.SetOwner int DotNet. I'm >>> using the following very simple code: >>> >>> DirectoryInfo dInfo = new DirectoryInfo(strFolder); >>> DirectorySecurity oDirectorySecurity = >>> dInfo.GetAccessControl(AccessControlSections.Owner); >>> oDirectorySecurity.SetOwner(new NTAccount(strUser)); >>> dInfo.SetAccessControl(oDirectorySecurity); >>> >>> But th SetAccessControl throws an System.InvalidOperationException with >>> the following message: >>> "The security identifier is not allowed to be the owner of this >>> object.". >>> >>> Any idea what the problem is and hopefully a solution? >>> >>> Thanks, >>> -Brian >>> >> >> > > I am also need to do similar thing in .Net 2.0. I have a directory which
has got full access to system account. If i see the advanced tab in
security dialog of that directory it shows system full access. In the
owner tab it shows the current owner and In change owner list box it
shows administrators group. Now i have created a new user and made him
a member of admin group. Now i am running the code in the newly created
owner account and i want to set the owner ship to this new user, who is
part of admin group. But the call
dInfo.GetAccessControl(AccessControlSections.Owner); fails saying
unauthorized access. From explorer i am thinking admin group can take
the ownership but i am not able to change the owner with a user who is
part of admin group. Please help me on this as soon as possible.
Brian Kirkegaard wrote: Show quoteHide quote > *I'm having a problem using DirectorySecurity.SetOwner int DotNet.
> I'm using > the following very simple code: > > DirectoryInfo dInfo = new DirectoryInfo(strFolder); > DirectorySecurity oDirectorySecurity = > dInfo.GetAccessControl(AccessControlSections.Owner); > oDirectorySecurity.SetOwner(new NTAccount(strUser)); > dInfo.SetAccessControl(oDirectorySecurity); > > But th SetAccessControl throws an System.InvalidOperationException > with the > following message: > "The security identifier is not allowed to be the owner of this > object.". > > Any idea what the problem is and hopefully a solution? > > Thanks, > -Brian * -- kotapati ------------------------------------------------------------------------ Posted via http://www.mcse.ms ------------------------------------------------------------------------ View this thread: http://www.mcse.ms/message1818141.html 
Other interesting topics
Security for a pluggable application
[ANN][X-POST] Goliath.NET Obfuscator... Implementing Kerberos Authentication Limiting exe permissions signcode vs signtool Impossible to set security policy for VSTO Excel? accessing Active Directory Get the user email Securing .NET Assemblies .NET 2003 DLL - how secure? |
|||||||||||||||||||||||
