Hello!
We are developing a Software on ASP.net platform with C# ,which collects information from AD Remote Computers
We used the following code
/*Code For Impersonating an Active Directory Domain User*/
/*The LogonUser is a user defined class. We use Win32 function LogonUserA to do the impersonation. It has been tested and works well. The application-specified username and password (Encrypted) is stored in our application database and can be changed by our application user at anytime.
*/
if (!LogonUser.impersonateValidUser(
Constants.strUserName, strDomain, Constants.strPassword))
{
Utilities.WriteAppErrorLog("Error: The User Credential is Not Valid");
return;
}
/*The code above usually works well*/
/*After that we use this code to access the remote registry*/
objSubKeys = RegistryKey.OpenRemoteBaseKey(
RegistryHive.LocalMachine, remoteName).OpenSubKey(
"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
/*End of code example*/
We use the above code to explore the Active Directory computers and collect information from these AD remote computers.
The OpenRemoteBaseKey call fails if the application-specified user is not the user "Administrator" (BTW, The application-specified user is an AD user of course and is used for the impersonation - this application-specified AD user is a member of all the groups that the internal "Administrator" user belongs to i.e. Administrators Domain Admins Domain Users Enterprise Admins Group Policy Creator Owners Schema Admins) The OpenRemoteBaseKey call only appears to work when using the internal "Administrator" user.
Our question is:
1. For an application-specified user (Not "Administrator," nor in Administrators group), what is the necessary steps to make the above code work properly ? Is it absolutely necessary to, at the very least, add it to the Administrators group ? What else do we need to do to elevate security rights to emulate the Administrator user privileges ?
2. Whatever the answer of the previous question, is it possible to limit the privilede for remote registry to READ ONLY ? It should be set at the policy level and we do not want it affect any another users that can access the registry because our customer may want to install other applications which need the (write) access.
Thanks
-----------------------------------------------------------------------------------------------
The following is what we found from the MSDN. We just do not know what is "elevated security rights" of administrator user?
-----------------------------------------------------------------------------------------------
Knowledge Base
A program can no longer access the registry on a remote computer after you install Windows Server 2003 Service Pack 1Article ID: 914057
Article Last Modified on 11/1/2006
--------------------------------------------------------------------------------
APPLIES TO
Microsoft Windows Server 2003 Service Pack 1, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
--------------------------------------------------------------------------------
SYMPTOMS
A program is no longer able to access the registry on a remote computer from a Microsoft Windows Server 2003-based computer after you install Windows Server 2003 Service Pack 1 (SP1). This symptom only occurs if you are not logged on to the computer by using the administrator account or other account that has elevated security rights.
CAUSE
This behavior occurs because security changes in Windows Server 2003 SP1 require that credentials with elevated security rights, such as administrator credentials, be used to access the registry on a remote computer.
When a program tries to access the registry on a remote computer, Windows Server 2003 calls the RegConnectRegistry function. The RegConnectRegistry function uses cached credentials for authentication. If the current user does not have appropriate access to the remote computer, the call to RegConnectRegistry fails.
For more information about the RegConnectRegistry function, visit the following Microsoft MSDN Web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/regconnectregistry.asp
WORKAROUND
To work around this behavior, use either of the following methods.
Method 1
Use the Run as command on the remote computer to start the program as an administrator. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
325362 How to use "Run as" to start an application as an administrator in Windows Server 2003
Method 2
Use the Windows Credential Manager feature to cache the appropriate credentials on the local computer and to automatically associate those credentials with the remote computer. To do this, follow these steps:
Log on to the remote computer by using the appropriate credentials, such as administrator credentials.
In the dialog box where you are prompted for these credentials, click to select the Update Default Credentials option or the Save Password option, and then click OK.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
913485 Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000
STATUS
This behavior is by design.
MORE INFORMATION
Technical support for x64-based versions of Microsoft Windows
Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspx
For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx
Additional query words: Winx64 Windowsx64 64bit 64-bit CM41268
Keywords: kbtshoot kbprb KB914057
--------------------------------------------------------------------------------
Send feedback to Microsoft
© Microsoft Corporation. All rights reserved.
