| Groups | Blog | Home |
dotnet security : Non Administrator creating shares on a DC
I am trying to create a tool for new user creation so that our Help
Desks can create users, home directories, the shares, and add them to groups. It was all good until I got to creating shares on the servers (some are DC's) I can't find ANY WAY to get around the following (in C#): System.Management.ManagementClass mc = new System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + "\\root\\cimv2", "Win32_Share", null); System.Management.ManagementBaseObject inParams = mc.GetMethodParameters("Create"); I get "Access Denied" exception when I run this as a NON-Admin user in the HelpDesk Group. I have given ALL rights to the WMI services to the "HelpDesk Group" on server which I am creating the share. It won't let me :( *** When I log into a PC as that user, and run through computer managemenet/attach to server and then go through "Create a new share", it all works great... Directory is created, share is created etc. This would indicate to me that the user has rights to do this, but that the code being called by the tool is different than the code that _I_ am calling :( *** What rights do I need for the HelpDesk Group on what aspects of what object for this to work? What code should I call instead? I have brick shaped dent in my forehead from this problem, and the balding patch is growing larger from pullling all my hair out!!!! So, all you WMI and security gurus out there... help please. Thanks, Brian Hampson System Administrator - North America ALS Laboratory Group, Environmental Division
Anyone? Any ideas? Help PLEASE!!!!
[quoted text, click to view] Brian Hampson wrote:
> I am trying to create a tool for new user creation so that our Help > Desks can create users, home directories, the shares, and add them to > groups. > > It was all good until I got to creating shares on the servers (some are > DC's) I can't find ANY WAY to get around the following (in C#): > > System.Management.ManagementClass mc = new > System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > "\\root\\cimv2", "Win32_Share", null); > System.Management.ManagementBaseObject inParams = > mc.GetMethodParameters("Create"); > > I get "Access Denied" exception when I run this as a NON-Admin user in > the HelpDesk Group. I have given ALL rights to the WMI services to the > "HelpDesk Group" on server which I am creating the share. It won't let > me :( > > Brian Hampson > System Administrator - North America > ALS Laboratory Group, Environmental Division
David,
Thank you for taking the time to reply. My problem is that I want to do this all programmatically. By doing it this way, I fill in all the details (addresses/upn/email server etc) for the new user based on corporate location. The only thing the Helpdesk people should have to do is put in the user's name, and which office. My app handles the rest. I'm pretty sure I've got the delegation ALMOST working since I can create shares using the Manage Computer inferface. It appears to use a different path than the WMI path that I am attempting. Anyone know what it is? [quoted text, click to view] David Lee Conley wrote:
> Brian, > > I'm a little rusty on my server stuff, but have you tried creating a new > Organizational Unit (OU), assign the appropriate folder to the OU, and grant > the HelpDesk group permissions to create users and add them to groups? You > should be able search the help files on Delegating Authority to accomplish > this, or see the links below. > > Then create an MMC snap-in that grants the HelpDesk group members the tools > needed to do the job. You can then use group policy to push the MMC > application to all members of the HelpDesk group. Just make sure you don't > give them a method of editing the MMC interface. > > When creating users, specifying \%username% in the home folder field should > automatically create the folder and grant only the new user permissions on > that folder. If needed by your organization, you can also use group policy > to prevent users from changing the location of My Documents from their > server assigned home folder. > > These links should help guide you. > > http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true > http://support.microsoft.com/?kbid=230263 > http://technet2.microsoft.com/WindowsServer/en/Library/60096a04-8494-4551-bfd6-3aebadddc3fe1033.mspx?mfr=true > http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true > > Dave > > "Brian Hampson" <brian.hampson@gmail.com> wrote in message > news:1153318623.484424.235700@s13g2000cwa.googlegroups.com... > > Anyone? Any ideas? Help PLEASE!!!! > > > > Brian Hampson wrote: > >> I am trying to create a tool for new user creation so that our Help > >> Desks can create users, home directories, the shares, and add them to > >> groups. > >> > >> It was all good until I got to creating shares on the servers (some are > >> DC's) I can't find ANY WAY to get around the following (in C#): > >> > >> System.Management.ManagementClass mc = new > >> System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > >> "\\root\\cimv2", "Win32_Share", null); > >> System.Management.ManagementBaseObject inParams = > >> mc.GetMethodParameters("Create"); > >> > >> I get "Access Denied" exception when I run this as a NON-Admin user in > >> the HelpDesk Group. I have given ALL rights to the WMI services to the > >> "HelpDesk Group" on server which I am creating the share. It won't let > >> me :( > >> > >> Brian Hampson > >> System Administrator - North America > >> ALS Laboratory Group, Environmental Division > >
Brian,
I'm a little rusty on my server stuff, but have you tried creating a new Organizational Unit (OU), assign the appropriate folder to the OU, and grant the HelpDesk group permissions to create users and add them to groups? You should be able search the help files on Delegating Authority to accomplish this, or see the links below. Then create an MMC snap-in that grants the HelpDesk group members the tools needed to do the job. You can then use group policy to push the MMC application to all members of the HelpDesk group. Just make sure you don't give them a method of editing the MMC interface. When creating users, specifying \%username% in the home folder field should automatically create the folder and grant only the new user permissions on that folder. If needed by your organization, you can also use group policy to prevent users from changing the location of My Documents from their server assigned home folder. These links should help guide you. http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true http://support.microsoft.com/?kbid=230263 http://technet2.microsoft.com/WindowsServer/en/Library/60096a04-8494-4551-bfd6-3aebadddc3fe1033.mspx?mfr=true http://technet2.microsoft.com/WindowsServer/en/Library/2f2fb575-43a8-4c01-b3cd-1ce9b78281cb1033.mspx?mfr=true Dave [quoted text, click to view] "Brian Hampson" <brian.hampson@gmail.com> wrote in message news:1153318623.484424.235700@s13g2000cwa.googlegroups.com... > Anyone? Any ideas? Help PLEASE!!!! > > Brian Hampson wrote: >> I am trying to create a tool for new user creation so that our Help >> Desks can create users, home directories, the shares, and add them to >> groups. >> >> It was all good until I got to creating shares on the servers (some are >> DC's) I can't find ANY WAY to get around the following (in C#): >> >> System.Management.ManagementClass mc = new >> System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + >> "\\root\\cimv2", "Win32_Share", null); >> System.Management.ManagementBaseObject inParams = >> mc.GetMethodParameters("Create"); >> >> I get "Access Denied" exception when I run this as a NON-Admin user in >> the HelpDesk Group. I have given ALL rights to the WMI services to the >> "HelpDesk Group" on server which I am creating the share. It won't let >> me :( >> >> Brian Hampson >> System Administrator - North America >> ALS Laboratory Group, Environmental Division >
You will have to connect to the remote server specifying 'explicit
credentials' of an administrator on this remote server. The way you are doing, is using (through impersonation) the 'current' user's credentials to create shares on a remote server which is obviously not allowed. Search the docs for the ConnectionOptions class and it's UserName, Password and Impersonation properties. Willy. [quoted text, click to view] "Brian Hampson" <brian.hampson@gmail.com> wrote in message |I am trying to create a tool for new user creation so that our Helpnews:1153168265.112787.83640@h48g2000cwc.googlegroups.com... | Desks can create users, home directories, the shares, and add them to | groups. | | It was all good until I got to creating shares on the servers (some are | DC's) I can't find ANY WAY to get around the following (in C#): | | System.Management.ManagementClass mc = new | System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + | "\\root\\cimv2", "Win32_Share", null); | System.Management.ManagementBaseObject inParams = | mc.GetMethodParameters("Create"); | | I get "Access Denied" exception when I run this as a NON-Admin user in | the HelpDesk Group. I have given ALL rights to the WMI services to the | "HelpDesk Group" on server which I am creating the share. It won't let | me :( | | *** | When I log into a PC as that user, and run through computer | managemenet/attach to server and then go through "Create a new share", | it all works great... Directory is created, share is created etc. This | would indicate to me that the user has rights to do this, but that the | code being called by the tool is different than the code that _I_ am | calling :( | *** | What rights do I need for the HelpDesk Group on what aspects of what | object for this to work? What code should I call instead? I have | brick shaped dent in my forehead from this problem, and the balding | patch is growing larger from pullling all my hair out!!!! | | So, all you WMI and security gurus out there... help please. | | Thanks, | | Brian Hampson | System Administrator - North America | ALS Laboratory Group, Environmental Division |
Thanks Willy,
I really needed NOT to code Admin priveledges into my code. After working with security on the WMI part of the server, I was able to do the job. Cheers! B. [quoted text, click to view] Willy Denoyette [MVP] wrote:
> You will have to connect to the remote server specifying 'explicit > credentials' of an administrator on this remote server. The way you are > doing, is using (through impersonation) the 'current' user's credentials to > create shares on a remote server which is obviously not allowed. > Search the docs for the ConnectionOptions class and it's UserName, Password > and Impersonation properties. > > Willy. > > > "Brian Hampson" <brian.hampson@gmail.com> wrote in message > news:1153168265.112787.83640@h48g2000cwc.googlegroups.com... > |I am trying to create a tool for new user creation so that our Help > | Desks can create users, home directories, the shares, and add them to > | groups. > | > | It was all good until I got to creating shares on the servers (some are > | DC's) I can't find ANY WAY to get around the following (in C#): > | > | System.Management.ManagementClass mc = new > | System.Management.ManagementClass("\\\\" + oHomeServer.Text.Trim() + > | "\\root\\cimv2", "Win32_Share", null); > | System.Management.ManagementBaseObject inParams = > | mc.GetMethodParameters("Create"); > | > | I get "Access Denied" exception when I run this as a NON-Admin user in > | the HelpDesk Group. I have given ALL rights to the WMI services to the > | "HelpDesk Group" on server which I am creating the share. It won't let > | me :( > | > | *** > | When I log into a PC as that user, and run through computer > | managemenet/attach to server and then go through "Create a new share", > | it all works great... Directory is created, share is created etc. This > | would indicate to me that the user has rights to do this, but that the > | code being called by the tool is different than the code that _I_ am > | calling :( > | *** > | What rights do I need for the HelpDesk Group on what aspects of what > | object for this to work? What code should I call instead? I have > | brick shaped dent in my forehead from this problem, and the balding > | patch is growing larger from pullling all my hair out!!!! > | > | So, all you WMI and security gurus out there... help please. > | > | Thanks, > | > | Brian Hampson > | System Administrator - North America > | ALS Laboratory Group, Environmental Division > |
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |