Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP General (http://www.velocityreviews.com/forums/f65-asp-general.html)
-   -   File permissions from ASP (http://www.velocityreviews.com/forums/t792743-file-permissions-from-asp.html)

ewallig 01-17-2004 11:01 PM
File permissions from ASP
 
Hi all, need help -

As part of a ASP-based AD account creation tool, I need to
set file permissions on the newly-created user's home
folders. I'm using CACLS to do this and calling it from
within the ASP page. The page is used by instructors who
do not have admin rights (OU that they work in has been
delegated to them and they have "Modify" and
various "Special" NTFS permissions on the home share,
including "Change Permissions". I'm running in Integrated
Windows Authentication mode with Anonymous Access disabled.

This has worked fine under W2K for over a year and almost
1400 accounts. However, I rebuilt my server w/ Windows
2003 last week and now it only works for admins. The non-
admins can still create accounts, but they are getting
a "permission denied" on the line of code in the ASP page
that runs the CACLS command.

I've tried a couple of things, including changing the
Application Pool Identity to LocalSystem and ensuring that
Scripts/Executables are selected on the Home Directory
page. I even went as far as invoking IIS5 Isolation Mode
and turning the Process Isolation Level down to Low (what
I had to do in W2K for it to work) but still no success.

Again, it works for anyone w/ admin rights, but thats not
an option. Any thoughts out there? I really need this to
work again - we add 40-80 users a week and its putting me
way behind having to set these permissions, even with a
script.

Thanks as always, please feel free to email me at
websupport@gcflearnfree.org if you have any questions or
ideas.

Atrax 01-18-2004 10:01 AM
Re: File permissions from ASP
 
I wonder, have you checked the NTFS permisisons on the cacls.exe file
itself?

________________________________________
Atrax. MVP, IIS
http://rtfm.atrax.co.uk/

newsflash : Atrax.Richedit 1.0 now released.
http://rtfm.atrax.co.uk/infinitemonk...trax.RichEdit/

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

ewallig 01-18-2004 01:09 PM
Re: File permissions from ASP
 
Good idea, but if I log on as one of the users and then
run the CACLS command from the CLI, it runs without a
problem - its just having problems running from the web
page.

I had this problem when I was using W2K Server; the
solution was to set the Process Isolation to Low but that
hasn't helped in this case.

Thanks for the input though...

>-----Original Message-----
>I wonder, have you checked the NTFS permisisons on the
cacls.exe file
>itself?
>
>________________________________________
>Atrax. MVP, IIS
>http://rtfm.atrax.co.uk/
>
>newsflash : Atrax.Richedit 1.0 now released.
>http://rtfm.atrax.co.uk/infinitemonk...onents/Atrax.R
ichEdit/
>
>*** Sent via Developersdex http://www.developersdex.com
***
>Don't just participate in USENET...get rewarded for it!
>.
>

ewallig 01-19-2004 03:12 PM
Re: File permissions from ASP
 
OK, more information - I ran FileMon while attempting to
execute the web page under a non-admin user. Here's what I
got:

821 9:15:53 AM inetinfo.exe:3208 IRP MJ_CREATE
C:\WINDOWS\system32\cmd.exe ACCESS DENIED Attributes:
Any Options: Open

This happens everytime a non-admin user tries to run this
page, but not whne an admin runs it - any idea who and
what I need to grant permissions to?


Thanks


>-----Original Message-----
>I wonder, have you checked the NTFS permisisons on the
cacls.exe file
>itself?
>
>________________________________________
>Atrax. MVP, IIS
>http://rtfm.atrax.co.uk/
>
>newsflash : Atrax.Richedit 1.0 now released.
>http://rtfm.atrax.co.uk/infinitemonk...onents/Atrax.R
ichEdit/
>
>*** Sent via Developersdex http://www.developersdex.com
***
>Don't just participate in USENET...get rewarded for it!
>.
>

ewallig 01-19-2004 09:57 PM
Re: File permissions from ASP
 
Hi again,

As it turns out, you were really close with your
suggestion about permissions on CACLS. It turns out that
Windows 2003 / IIS 6 does not implicitly allow access to
external system functions (anything in System32) from a
web page to anyone other than administrators.

So even though my users could access the command prompt
normally and could run CACLS from vbscripts (or from the
CLI) they could not run CACLS from ASP because the code
calls the command prompt to run it.

Adding their groups to the CMD.exe ACL list and giving
them Read and Execute solved the problem.


Thanks again,

Ed Wallig
Network Administrator
GCF Global Learning

>-----Original Message-----
>I wonder, have you checked the NTFS permisisons on the
cacls.exe file
>itself?
>
>________________________________________
>Atrax. MVP, IIS
>http://rtfm.atrax.co.uk/
>
>newsflash : Atrax.Richedit 1.0 now released.
>http://rtfm.atrax.co.uk/infinitemonk...onents/Atrax.R
ichEdit/
>
>*** Sent via Developersdex http://www.developersdex.com
***
>Don't just participate in USENET...get rewarded for it!
>.
>


All times are GMT. The time now is 11:21 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57