I
Igor Jovanovski
Hi,
We are having a credential provider for Biometric devices and
SmartCard logon.
We are storing the credentials of domain users in Active Directory
whose schema we extend with 2 proprietery attributes to the User
object.
When a password change is done through our credential provider we
update the data in AD. Here is the problem (Win7 x32 client, Win2003
x32 server):
Although the user objects in the AD schema have the right SYSTEM with
Full Control the IADs::SetInfo fails with 0x80050007 "Access Denied".
It is interesting that the "Get" functions work in the same sequence
of calls.
The same piece of code Works under our GINA on XP. I know that
Winlogon.exe has all the privileges whereas LogonUI.exe is more
restrictive (does not have SE_RESTORE_NAME etc.) but the privileges
should not have anything to do with the rights. Right?
When I give the TestUser object in ADSIEdit.msc/Domain/Users/TestUser
the Everyone Full Control then it works. But LogonUI.exe runs under
SYSTEM account and the TestUser having SYSTEM Full Control should/must
be enough.Right?
So what could be the reason for this error?
I.
We are having a credential provider for Biometric devices and
SmartCard logon.
We are storing the credentials of domain users in Active Directory
whose schema we extend with 2 proprietery attributes to the User
object.
When a password change is done through our credential provider we
update the data in AD. Here is the problem (Win7 x32 client, Win2003
x32 server):
Although the user objects in the AD schema have the right SYSTEM with
Full Control the IADs::SetInfo fails with 0x80050007 "Access Denied".
It is interesting that the "Get" functions work in the same sequence
of calls.
The same piece of code Works under our GINA on XP. I know that
Winlogon.exe has all the privileges whereas LogonUI.exe is more
restrictive (does not have SE_RESTORE_NAME etc.) but the privileges
should not have anything to do with the rights. Right?
When I give the TestUser object in ADSIEdit.msc/Domain/Users/TestUser
the Everyone Full Control then it works. But LogonUI.exe runs under
SYSTEM account and the TestUser having SYSTEM Full Control should/must
be enough.Right?
So what could be the reason for this error?
I.