File permissions from ASP

Discussion in 'ASP General' started by ewallig, Jan 17, 2004.

  1. ewallig

    ewallig Guest

    Hi all, need help -

    As part of a ASP-based AD account creation tool, I need to
    set file permissions on the newly-created user's home
    folders. I'm using CACLS to do this and calling it from
    within the ASP page. The page is used by instructors who
    do not have admin rights (OU that they work in has been
    delegated to them and they have "Modify" and
    various "Special" NTFS permissions on the home share,
    including "Change Permissions". I'm running in Integrated
    Windows Authentication mode with Anonymous Access disabled.

    This has worked fine under W2K for over a year and almost
    1400 accounts. However, I rebuilt my server w/ Windows
    2003 last week and now it only works for admins. The non-
    admins can still create accounts, but they are getting
    a "permission denied" on the line of code in the ASP page
    that runs the CACLS command.

    I've tried a couple of things, including changing the
    Application Pool Identity to LocalSystem and ensuring that
    Scripts/Executables are selected on the Home Directory
    page. I even went as far as invoking IIS5 Isolation Mode
    and turning the Process Isolation Level down to Low (what
    I had to do in W2K for it to work) but still no success.

    Again, it works for anyone w/ admin rights, but thats not
    an option. Any thoughts out there? I really need this to
    work again - we add 40-80 users a week and its putting me
    way behind having to set these permissions, even with a
    script.

    Thanks as always, please feel free to email me at
    if you have any questions or
    ideas.
     
    ewallig, Jan 17, 2004
    #1
    1. Advertising

  2. ewallig

    Atrax Guest

    Atrax, Jan 18, 2004
    #2
    1. Advertising

  3. ewallig

    ewallig Guest

    Good idea, but if I log on as one of the users and then
    run the CACLS command from the CLI, it runs without a
    problem - its just having problems running from the web
    page.

    I had this problem when I was using W2K Server; the
    solution was to set the Process Isolation to Low but that
    hasn't helped in this case.

    Thanks for the input though...

    >-----Original Message-----
    >I wonder, have you checked the NTFS permisisons on the

    cacls.exe file
    >itself?
    >
    >________________________________________
    >Atrax. MVP, IIS
    >http://rtfm.atrax.co.uk/
    >
    >newsflash : Atrax.Richedit 1.0 now released.
    >http://rtfm.atrax.co.uk/infinitemonkeys/components/Atrax.R

    ichEdit/
    >
    >*** Sent via Developersdex http://www.developersdex.com

    ***
    >Don't just participate in USENET...get rewarded for it!
    >.
    >
     
    ewallig, Jan 18, 2004
    #3
  4. ewallig

    ewallig Guest

    OK, more information - I ran FileMon while attempting to
    execute the web page under a non-admin user. Here's what I
    got:

    821 9:15:53 AM inetinfo.exe:3208 IRP MJ_CREATE
    C:\WINDOWS\system32\cmd.exe ACCESS DENIED Attributes:
    Any Options: Open

    This happens everytime a non-admin user tries to run this
    page, but not whne an admin runs it - any idea who and
    what I need to grant permissions to?


    Thanks


    >-----Original Message-----
    >I wonder, have you checked the NTFS permisisons on the

    cacls.exe file
    >itself?
    >
    >________________________________________
    >Atrax. MVP, IIS
    >http://rtfm.atrax.co.uk/
    >
    >newsflash : Atrax.Richedit 1.0 now released.
    >http://rtfm.atrax.co.uk/infinitemonkeys/components/Atrax.R

    ichEdit/
    >
    >*** Sent via Developersdex http://www.developersdex.com

    ***
    >Don't just participate in USENET...get rewarded for it!
    >.
    >
     
    ewallig, Jan 19, 2004
    #4
  5. ewallig

    ewallig Guest

    Hi again,

    As it turns out, you were really close with your
    suggestion about permissions on CACLS. It turns out that
    Windows 2003 / IIS 6 does not implicitly allow access to
    external system functions (anything in System32) from a
    web page to anyone other than administrators.

    So even though my users could access the command prompt
    normally and could run CACLS from vbscripts (or from the
    CLI) they could not run CACLS from ASP because the code
    calls the command prompt to run it.

    Adding their groups to the CMD.exe ACL list and giving
    them Read and Execute solved the problem.


    Thanks again,

    Ed Wallig
    Network Administrator
    GCF Global Learning

    >-----Original Message-----
    >I wonder, have you checked the NTFS permisisons on the

    cacls.exe file
    >itself?
    >
    >________________________________________
    >Atrax. MVP, IIS
    >http://rtfm.atrax.co.uk/
    >
    >newsflash : Atrax.Richedit 1.0 now released.
    >http://rtfm.atrax.co.uk/infinitemonkeys/components/Atrax.R

    ichEdit/
    >
    >*** Sent via Developersdex http://www.developersdex.com

    ***
    >Don't just participate in USENET...get rewarded for it!
    >.
    >
     
    ewallig, Jan 19, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Allen
    Replies:
    0
    Views:
    467
    Scott Allen
    Jul 13, 2004
  2. Curt K
    Replies:
    0
    Views:
    589
    Curt K
    Nov 3, 2006
  3. travelling_nerd
    Replies:
    4
    Views:
    181
    Patrice
    Jul 13, 2004
  4. N. Quisitive
    Replies:
    0
    Views:
    148
    N. Quisitive
    Jan 17, 2006
  5. Vikram Sharma
    Replies:
    2
    Views:
    173
    Vikram Sharma
    Dec 1, 2008
Loading...

Share This Page