none
Please advice me the best place to ask the following question

    Question

  • I have a problem to get SID of the machine that is Windows Server 2016 after impersonation with the simple domain user

    Hi, All!

    I have a problem to get SID of the machine that is Windows Server 2016 after impersonation with the following domain user:

    User is simple user in domain that have local "Power Users" & "Backup Operators" membership.

    I am calling the following function with dwLevel = 2 in order to get SID of the machine:

    nStatus = NetUserModalsGetm_ipdwLevel, (LPBYTE *) &tmpBuf);

    and receiving the error 0x00000005 ERROR_ACCESS_DENIED The user does not have access to the requested information.

    This function worked fine for the same user for Windows Server 2008, but for Windows Server 2016 it doesn’t work. In case impersonation with the user who is member of Domain Admins group, the function works fine.

    My question is what are user’s restriction for calling the NetUserModalsGet function in case Windows Server 2016? Maybe I can create another user (other than Domain Admins user) that can get this information?

    Thanks in advance.

    Wednesday, January 18, 2017 8:35 AM

Answers

  • Does this reference help?

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa370656%28v=vs.85%29.aspx

    Is the computer where the SID is requested domain joined? If it is domain joined, is it a domain controller or a member server? And are both the Windows Server 2008 and 2016 machines DC's or member servers?

    I don't know of any reason why Windows Server 2016 would behave differently from Windows Server 2008. The error you report should depend only on the security applied to the object (the access control list, or ACL, of the server object).

    You might try other methods to retrieve the SID, as mentioned in the article I linked, for example iADSDomain methods. Or use the NetUserModalsGet function to retrieve the SID of the domain. Then you would only be missing the RID of the server (the last part of the SID). But if level is 2, I think the function just retrieves the SID of the domain anyway.

    If you can use PowerShell (Version 2 with the Active Directory module), try the following to see if you can retrieve the SID:

    Get-ADComputer -Identity my_ip | Select SID

    Or to retrieve the SID of the domain use:

    Get-ADDomain

    where the DomainSID property will be the SID of the domain.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, January 18, 2017 1:54 PM
    Moderator
  • Might also try asking over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?category=windowsdesktopdev

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 18, 2017 2:17 PM
    Moderator

All replies

  • Does this reference help?

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa370656%28v=vs.85%29.aspx

    Is the computer where the SID is requested domain joined? If it is domain joined, is it a domain controller or a member server? And are both the Windows Server 2008 and 2016 machines DC's or member servers?

    I don't know of any reason why Windows Server 2016 would behave differently from Windows Server 2008. The error you report should depend only on the security applied to the object (the access control list, or ACL, of the server object).

    You might try other methods to retrieve the SID, as mentioned in the article I linked, for example iADSDomain methods. Or use the NetUserModalsGet function to retrieve the SID of the domain. Then you would only be missing the RID of the server (the last part of the SID). But if level is 2, I think the function just retrieves the SID of the domain anyway.

    If you can use PowerShell (Version 2 with the Active Directory module), try the following to see if you can retrieve the SID:

    Get-ADComputer -Identity my_ip | Select SID

    Or to retrieve the SID of the domain use:

    Get-ADDomain

    where the DomainSID property will be the SID of the domain.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, January 18, 2017 1:54 PM
    Moderator
  • Might also try asking over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?category=windowsdesktopdev

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, January 18, 2017 2:17 PM
    Moderator