Geek Answers Handbook

Access denied using GetEffectiveRightsFromAcl () ..?

I am trying to check permissions on a specific file for a specific trustey, and I am using the win32 API GetEffectiveRightsFromAcl (). when a file is available to a domain group, the function returns 5 (Access Denied) when a local account (administrator or other) is used to execute the function.

These three statements summarize the behavior that I see with GetEffectiveRightsFromAcl ():

  • When a domain group has rights to a file, and the program runs under a local account: access is denied.
  • When a domain group has file permissions and runs the program under a domain account or local system: success
  • If the domain group does not have rights to the file and the program runs under any account: Success

Does anyone know the reason for this? It seems to me that these are security related Active Directory. What settings can affect this and what would be a good way to debug this?

Also, I heard that GetEffectiveRightsFromAcl () can be generally problematic and use AccessCheck (). However, I need to be able to accept an arbitrary security identifier and check its access to the file, and since AccessCheck () requires an impersonation token, I don’t know how I could smooth out the token from an arbitrary SID ... Any ideas? Thanks

Bean

+4
source share
2 answers

I have used C # and it works well for me.

using System; using System.Runtime.InteropServices; using System.Security.Principal; using System.Security.AccessControl; namespace DACL { class Class1 { private enum MULTIPLE_TRUSTEE_OPERATION { NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_IMPERSONATE } private enum TRUSTEE_FORM { TRUSTEE_IS_SID, TRUSTEE_IS_NAME, TRUSTEE_BAD_FORM, TRUSTEE_IS_OBJECTS_AND_SID, TRUSTEE_IS_OBJECTS_AND_NAME } private enum TRUSTEE_TYPE { TRUSTEE_IS_UNKNOWN, TRUSTEE_IS_USER, TRUSTEE_IS_GROUP, TRUSTEE_IS_DOMAIN, TRUSTEE_IS_ALIAS, TRUSTEE_IS_WELL_KNOWN_GROUP, TRUSTEE_IS_DELETED, TRUSTEE_IS_INVALID, TRUSTEE_IS_COMPUTER } private struct TRUSTEE { public IntPtr pMultipleTrustee; public MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation; public TRUSTEE_FORM TrusteeForm; public TRUSTEE_TYPE TrusteeType; public IntPtr ptstrName; } [DllImport("advapi32.dll", SetLastError = true)] private static extern void BuildTrusteeWithSid( ref TRUSTEE pTrustee, byte[] sid ); [DllImport("advapi32.dll")] private static extern uint GetEffectiveRightsFromAcl(byte[] pacl, ref TRUSTEE pTrustee, ref uint pAccessRights); public bool HasAccess(SecurityIdentifier sid) { DiscretionaryAcl dacl = <DACL from somewhere>; byte[] daclBuffer = new byte[dacl.BinaryLength]; dacl.GetBinaryForm(daclBuffer, 0); byte[] sidBuffer = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBuffer, 0); TRUSTEE t = new TRUSTEE(); BuildTrusteeWithSid(ref t, sidBuffer); uint access = 0; uint hr = GetEffectiveRightsFromAcl(daclBuffer, ref t, ref access); int i = Marshal.Release(t.ptstrName); return ((access & <Desired Access>) == <Desired Access>) ? true : false; } } }
+3
source
  • if the domain group has the right to the file, this function must access the active directory to list the membership in the trustee group (at least if it is a domain user). If your program runs under a local account, then this account does not have access rights to the active directory, therefore, the return code error.
  • domain account and local system access to the active directory. The local system is the computer account in the active directory (computers as users in AD).
  • If none of the domain groups has access to the file, the function should not be checked using the active directory. So local users are also doing well.
+2
source

More articles:


All Articles