Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET

[Ben Dewey]

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object. (http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams = LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams = LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams = LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540 [d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]

 

[Willy Denoyette [MVP]]

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179]

 

[Ben Dewey]

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]

 

[Andy Gaskell]

Check 'em out

http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]

Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Ben Dewey]

Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.

Check 'em out

http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace

(and
add

a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Ben Dewey]

One more question in regards to this. I was able to add a permission. Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?

Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.

Check 'em out

http://msdn.microsoft.com/library/d...nity/UserSamples/Details.aspx?SampleGuid=e609

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when connecting
to WMI, however, ASPNET has no privileges to change the filesystem object
ACL's.
So you need to run this code with elevated privileges, here you have a
number of options:
- or, impersonate a power user (using your web config file, or in code),
- or, run this from a server type COM+ application, using a power user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and
add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's,

that
way

you don't have to add System.Management stuff to your code, and you don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =
LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Willy Denoyette [MVP]]

You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

....

Willy.

One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?

Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.

Check 'em out

http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
little
bit and it seemed to work. Are there any issues with using this
namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on
this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =
(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT

|

(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when
connecting
to WMI, however, ASPNET has no privileges to change the filesystem
object
ACL's.
So you need to run this code with elevated privileges, here you
have a
number of options:
- or, impersonate a power user (using your web config file, or in
code),
- or, run this from a server type COM+ application, using a power
user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and
add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that
way
you don't have to add System.Management stuff to your code, and you
don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far
is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently
using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the same
code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =

LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Ben Dewey]

Actually I figured it out. Thanks anyways. Anyone who wants to know how to
revoke or remove permissions from an NTFS Store using ActiveDs see the code
below.

DsPermissions is just a class that i use to generalize the permissions for
my needs.

public bool RevokePermission(string username, string domain,
DsPermissionTypes permissionType)
{
try
{
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;
// Find old Ace and Remove it.
AccessControlEntry oldAce = null;
// Get Ace enumerator.
IEnumerator aceEnum = folderAcl.GetEnumerator();
while (aceEnum.MoveNext())
{
//Get Information about Ace.
ActiveDs.IADsAccessControlEntry ace =
(ActiveDs.IADsAccessControlEntry)aceEnum.Current;
if (ace.Trustee.ToLower() == domain.ToLower() + @"\" + username.ToLower() ||
ace.Trustee.ToLower() == username.ToLower())
{
switch (permissionType)
{
case DsPermissionTypes.Read:
if ((ace.AccessMask &
DsPermissions.FILE_GENERIC_READ)==DsPermissions.FILE_GENERIC_READ)
ace.AccessMask = ace.AccessMask ^ DsPermissions.FILE_GENERIC_READ;
break;
case DsPermissionTypes.Write:
if ((ace.AccessMask &
DsPermissions.FILE_GENERIC_WRITE)==DsPermissions.FILE_GENERIC_WRITE)
ace.AccessMask = ace.AccessMask ^ DsPermissions.FILE_GENERIC_WRITE;
break;
case DsPermissionTypes.Delete:
if ((ace.AccessMask & DsPermissions.DELETE)==DsPermissions.DELETE)
ace.AccessMask = ace.AccessMask ^ DsPermissions.DELETE ^
DsPermissions.FILE_DELETE_CHILD;
break;
case DsPermissionTypes.ChangePermissions:
if ((ace.AccessMask & DsPermissions.WRITE_DAC)==DsPermissions.WRITE_DAC)
ace.AccessMask = ace.AccessMask ^ DsPermissions.READ_CONTROL ^
DsPermissions.WRITE_DAC;;
break;
}
}
}
folderSD.DiscretionaryAcl = folderAcl;
secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
return true;
}
else
{
return false;
}
}
catch(Exception exp)
{
throw exp;
}
}

One more question in regards to this. I was able to add a permission. Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?

Thanks alot guys it worked. I set up to impersonate the admin account and
this code works now. Thanks.

http://msdn.microsoft.com/library/d...nity/UserSamples/Details.aspx?SampleGuid=e609

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT

have

a

number of options:
- or, impersonate a power user (using your web config file, or in
code),
- or, run this from a server type COM+ application, using a power
user's
identity.
I would also suggest to use the System.DirectoryServices namespace (and
add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that
way
you don't have to add System.Management stuff to your code, and you
don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far is
working well with the Active Directory. The problem I am having is
with adding File Permissions to a directory. I am currently using
some code courtesy of "Willy Denoyette [MVP]"

Problem:

the
same

code in a sample console app it works correctly. When I execute the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain, DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =

LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Ben Dewey]

I am assuming that

["AccessMask"].Value & (~Access.Delete);
is the same as
["AccessMask"].Value ^ Access.Delete;

If so I got it right. see my other post.

You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.

One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?

Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
Check 'em out

http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp http://msdn.microsoft.com/library/d...ibrary/default.asp?url=/library/en-us/cpgenre f/html/gngrfidentitysection.asp

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about
doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace

(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609

8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
little
bit and it seemed to work. Are there any issues with using this
namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on
this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =
(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
|
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when
connecting
to WMI, however, ASPNET has no privileges to change the filesystem
object
ACL's.
So you need to run this code with elevated privileges, here you
have a
number of options:
- or, impersonate a power user (using your web config file, or in
code),
- or, run this from a server type COM+ application, using a power
user's
identity.
I would also suggest to use the System.DirectoryServices namespace
(and
add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that
way
you don't have to add System.Management stuff to your code, and you
don't
have to care about WMI security settings.


Willy.

Project:

I
am

utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so far
is
working well with the Active Directory. The problem I am

having
is

with adding File Permissions to a directory. I am currently
using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the
same
code in a sample console app it works correctly. When I

execute
the

code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I
have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain,
DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =

LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result= (uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163

]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540

[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179

]

 

[Willy Denoyette [MVP]]

Ben,

No it's not, you are flipping the bit when using XOR (^), so in your
sample:

["AccessMask"].Value ^ Access.Delete;

When Delete was set, you turn it OFF, but if it was not set you turn it ON,
I don't thing this is what you want.

Willy.

I am assuming that

["AccessMask"].Value & (~Access.Delete);
is the same as
["AccessMask"].Value ^ Access.Delete;

If so I got it right. see my other post.

You can simply use binary and unary operators to set un-set bits, like
this...

enum Access {
..
Delete = 0x00010000;
..

}

// Reset delete bit (if set), keep other bits set
ace.Properties["AccessMask"].Value = ace.Properties["AccessMask"].Value
&(~Access.Delete);

...

Willy.

One more question in regards to this. I was able to add a permission.
Now,
what is the best way to go about revoking permissions? Is there away
to
Find the AceEntry then get the Mask and do a
Mask ! GENERIC_WRITE.

Is there a logical operator to remove a flag?

If this is not possible I am was thinking about
1. Finding the AceEntry
2. Saving it to a variable.
3. Removing the Entry
4. Recreating the Entry with the active permissions still available
5. Adding the AceEntry back.

Is this good?
Thanks alot guys it worked. I set up to impersonate the admin account
and
this code works now. Thanks.
"Andy Gaskell" <pubb AT hotmail DOT com> wrote in message
Check 'em out



http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenre f/html/gngrfidentitysection.asp


Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about
doing?

Also, have you ever heard of the Microsoft.Win32.Security
Namespace



(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a
little
bit and it seemed to work. Are there any issues with using this
namespace?


Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the
returned
// object is IADsSecurityDescriptor. So we can use the methods on
this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD =
(IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
break;
case DsPermissionTypes.Write:
newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
break;
case DsPermissionTypes.Delete:
newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
break;
case DsPermissionTypes.ChangePermissions:
newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
break;
}


newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;

newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
|
(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

Ben,

Your code run's as "ASPNET" and uses ASPNET's access token when
connecting
to WMI, however, ASPNET has no privileges to change the filesystem
object
ACL's.
So you need to run this code with elevated privileges, here you
have
a
number of options:
- or, impersonate a power user (using your web config file, or in
code),
- or, run this from a server type COM+ application, using a power
user's
identity.
I would also suggest to use the System.DirectoryServices namespace
(and
add
a reference to Activeds.tlb) instead of WMI to manage FS ACL's,
that
way
you don't have to add System.Management stuff to your code, and you
don't
have to care about WMI security settings.


Willy.

Project:
----------------------------

I am creating a HTTPS File Transfer App using ASP.NET and C#. I
am
utilizing ActiveDirectory and windows security to manage the
permissions. Why reinvent the wheel, right? Everything so
far
is
working well with the Active Directory. The problem I am having
is
with adding File Permissions to a directory. I am currently
using
some code courtesy of "Willy Denoyette [MVP]"

Problem:
----------------------------

When I try to add user permissions to a specific folder using the
same
code in a sample console app it works correctly. When I execute
the
code from ASP.NET I get a return code of 1307, everytime.

Which means - 1307 This security ID may not be assigned as the
owner
of this object.
(http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).

Can anyone tell me why this is happening? Willy?

Environment:
----------------------------

I am developing with Framework 1.1 and Windows XP. The users are
coming from AD on a Windows 2003 Server.

I have given ASPNET object full access to the folder C:\test. I
have
also give ASPNET object full access to Root/CIMV2 in
CompMgmt.msc/Services and Apps/WMI Control

Code:
----------------------------
The DsSettings Object is just a simple class tht contains the
Login
and Path information for LDAP.


public bool GrantPermission(string username, string domain,
DsSettings
settings)
{
try
{

byte[] bSid = (byte[])DsWrapper.GetUser(username,
settings).DsEntry.Properties["objectSID"].Value;
ManagementObject LogicalFileSecuritySetting = new
ManagementObject( new ManagementPath(
@"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
ManagementBaseObject outParams;
outParams =
LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
null, null);

ManagementBaseObject Descriptor =

((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
Descriptor.Properties["DACL"].Value ) );

ManagementObject newTrusteeUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
newTrusteeUser["Domain"] = domain;
newTrusteeUser["Name"] = username;
newTrusteeUser["SID"] = bSid;

ManagementObject newACEUser = ( new ManagementClass(
@"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
newACEUser["Trustee"] = newTrusteeUser;
newACEUser["AceFlags"] = 3;
newACEUser["AceType"] = 0;
newACEUser["AccessMask"] = 2032127;// Full Access Mask
ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
{newACEUser};
Descriptor.Properties["DACL"].Value = DACLObjectNew;
ManagementBaseObject inParams = null;
inParams =

LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
outParams =
LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
inParams, null);

// This line is where I get a result back of 1307 in ASP.NET
uint result=
(uint)(outParams.Properties["ReturnValue"].Value);

LogicalFileSecuritySetting.Dispose();
return true;
}
catch(Exception exp)
{
throw exp;
}
}


Logs:
----------------------------
C:\WINDOWS\system32\WBEM\Logs\Framework.log
----------------------------
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.093 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:06.203 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:06.203 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.968 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:07.984 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:07.984 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.000 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.093 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.093 thread:1916




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.203 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.203 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.218 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.218 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
Shell Name Explorer.exe in Registry not found in process
list. 05/06/2004 09:39:08.312 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
Unable to locate Shell Process, Impersonation failed. 05/06/2004
09:39:08.312 thread:2540




[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]