Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Please advice me the best place to ask the following question RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have a problem to get SID of the machine that is Windows Server 2016 after impersonation with the simple domain user

    Hi, All!

    I have a problem to get SID of the machine that is Windows Server 2016 after impersonation with the following domain user:

    User is simple user in domain that have local "Power Users" & "Backup Operators" membership.

    I am calling the following function with dwLevel = 2 in order to get SID of the machine:

    nStatus = NetUserModalsGetm_ipdwLevel, (LPBYTE *) &tmpBuf);

    and receiving the error 0x00000005 ERROR_ACCESS_DENIED The user does not have access to the requested information.

    This function worked fine for the same user for Windows Server 2008, but for Windows Server 2016 it doesn’t work. In case impersonation with the user who is member of Domain Admins group, the function works fine.

    My question is what are user’s restriction for calling the NetUserModalsGet function in case Windows Server 2016? Maybe I can create another user (other than Domain Admins user) that can get this information?

    Thanks in advance.

    Wednesday, January 18, 2017 8:35 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Does this reference help?

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa370656%28v=vs.85%29.aspx

    Is the computer where the SID is requested domain joined? If it is domain joined, is it a domain controller or a member server? And are both the Windows Server 2008 and 2016 machines DC's or member servers?

    I don't know of any reason why Windows Server 2016 would behave differently from Windows Server 2008. The error you report should depend only on the security applied to the object (the access control list, or ACL, of the server object).

    You might try other methods to retrieve the SID, as mentioned in the article I linked, for example iADSDomain methods. Or use the NetUserModalsGet function to retrieve the SID of the domain. Then you would only be missing the RID of the server (the last part of the SID). But if level is 2, I think the function just retrieves the SID of the domain anyway.

    If you can use PowerShell (Version 2 with the Active Directory module), try the following to see if you can retrieve the SID:

    Get-ADComputer -Identity my_ip | Select SID

    Or to retrieve the SID of the domain use:

    Get-ADDomain

    where the DomainSID property will be the SID of the domain.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Just Karl Friday, January 20, 2017 2:57 PM
    • Marked as answer by Dave PatrickMVP Wednesday, January 25, 2017 4:24 PM
    Wednesday, January 18, 2017 1:54 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Might also try asking over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?category=windowsdesktopdev

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Just Karl Friday, January 20, 2017 2:57 PM
    • Marked as answer by Dave PatrickMVP Wednesday, January 25, 2017 4:24 PM
    Wednesday, January 18, 2017 2:17 PM

All replies