Translate BUILTIN to domain name

  • Thread starter Anders K. Olsen
  • Start date
A

Anders K. Olsen

Hello group

I'm trying to list the users and groups who has read access to a file.

I use .NET 2.0 and FileInfo.GetAccessControl().GetAccessRules(...) and then
loop through the FileSystemAccessRule objects. Using these objects, it is
easy to use rule.IdentityReference.Translate(typeof(NTAccount)) to get the
NTAccount object.

I have noticed that some of the NTAccounts can belong to BUILTIN domains,
e.g. BUILTIN\Users. I need to translate this BUILTIN domain name to an
actual computer or domain name. Just like it is done when I click on the
Security tab of the file property dialog.

If it is on my local computer, I guess that I sould just translate it into
the local computer name. However, what should I do if it is on a remote
computer? If the remote computer is a Domain controller, it looks as if I
should translate it to <DOMAIN>\Users instead of <COMPUTERNAME>\Users.

My problem is, that i don't know if the file is a local file or on a remote
computer. And if I could fint out if it is a local or remote file, how do I
find out if it is on the domain controller?

If this is the wrong group to ask, then please let me know.

Thank you for your help

Regards
Anders
 
L

Luc E. Mistiaen

BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local (or
another) domain name.

/LM
 
A

Anders K. Olsen

Luc E. Mistiaen said:
BUILTIN is a special pseudo domain (like NT AUTHORITY) that correspond to
well known accounts with pre-defined SIDs.

You can just use use them as-is and shouldn't replace them by the local
(or another) domain name.
Click to expand...

Thank you for your answer.

Let me see if I can explain my problem better.

Assume that a file (FILE1) is stored on SERVER1. BUILTIN\Users on SERVER1 is
allowed to read this file. When I inspect the file, I read this information.

On another computer COMPUTER2, I find that USER2 is a member of
BUILTIN\Users on this computer, but USER2 is NOT a memeber of BUILTIN\Users
on SERVER1.

Now I would like to find out if USER2 is allowed to read FILE1. My problem
is, that I can't use the normal Windows mechansims to decide this question.
So I would like to be able to compare users and groups between computers and
servers. If I just compare BUILTIN\Users with BUILTIN\Users, I find that
USER2 is allowed to read FILE1 which is wrong. However if I could translate
BUILTIN\Users on SERVER1 to SERVER1\Users and BUILTIN\Users on COMPUTER2 to
COMPUTER2\Users, I would be able to decide that USER2 is not allowed to read
FILE1

Regards
Anders
 
L

Luc E. Mistiaen

But it is not that simple. USER2 can member of a global group that is itself
member of BUILTIN\Users. In general you cannot decide based on such simple
comparison. You must impersonate USER2 and try to access the file and let
Windows decide if USER2 has access or not...

/LM
 
A

Anders K. Olsen

Luc E. Mistiaen said:
But it is not that simple. USER2 can member of a global group that is
itself member of BUILTIN\Users. In general you cannot decide based on such
simple comparison. You must impersonate USER2 and try to access the file
and let Windows decide if USER2 has access or not...
Click to expand...

My problem is, that I can't use Windows to decide if USER2 has access to the
file. I need to decide this using string comparisons. I'm doing the
comparisons in another application that knows nothing about windows and
authentication.

When USER2 tries to access the file through my system (a webpage), I will
enumerate all the groups that USER2 belongs to. I'm using Integrated Windows
Authentication on the webbrowser, so this is done while I'm impersonating
USER2, so it will recursively list all groups that USER2 belongs to. When I
know all groups that USER2 belongs to, I can compare this list with the list
of users/groups that is allowed to read the file.

But you have a point: This enumeration will probably only list the groups
that are available on the webserver. Therefore it will not contain
BUILTIN\Users on SERVER1 if the webserver is not running on SERVER1.

I'm beginning to think, that it is not possible to achieve all the things
that I want to be able to do.

Regards
Anders
 
L

Luc E. Mistiaen

Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the IsInRole
method to check (deeply) if the user is part of that group.

/LM
 
A

Anders K. Olsen

Luc E. Mistiaen said:
Yes, I think the closest to what you want to do, is to require the user to
be part of a specific group to have access to the file and use the
IsInRole method to check (deeply) if the user is part of that group.
Click to expand...

Yes, that is probably true.

Thank you for your help. You have given me something to think about and some
new dirrections to look.

Regards
Anders
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems using IsInRole - differences from XP and Windows2003 3
how to capture error on Translate(typeof(NTAccount) 5
inheretance is broken - sdprop adminsdholder, builtin container an 0
Windows XP Logon script location 3
VPN server without domain controller 0
How can I enable builtin administrator account on Vista with stn u 1
Regular Expression Translate 2
VBA-disable a builtin button 8

Top