File permissions from ASP

[ewallig]

Hi all, need help -

As part of a ASP-based AD account creation tool, I need to
set file permissions on the newly-created user's home
folders. I'm using CACLS to do this and calling it from
within the ASP page. The page is used by instructors who
do not have admin rights (OU that they work in has been
delegated to them and they have "Modify" and
various "Special" NTFS permissions on the home share,
including "Change Permissions". I'm running in Integrated
Windows Authentication mode with Anonymous Access disabled.

This has worked fine under W2K for over a year and almost
1400 accounts. However, I rebuilt my server w/ Windows
2003 last week and now it only works for admins. The non-
admins can still create accounts, but they are getting
a "permission denied" on the line of code in the ASP page
that runs the CACLS command.

I've tried a couple of things, including changing the
Application Pool Identity to LocalSystem and ensuring that
Scripts/Executables are selected on the Home Directory
page. I even went as far as invoking IIS5 Isolation Mode
and turning the Process Isolation Level down to Low (what
I had to do in W2K for it to work) but still no success.

Again, it works for anyone w/ admin rights, but thats not
an option. Any thoughts out there? I really need this to
work again - we add 40-80 users a week and its putting me
way behind having to set these permissions, even with a
script.

Thanks as always, please feel free to email me at
(e-mail address removed) if you have any questions or
ideas.

 

[Atrax]

I wonder, have you checked the NTFS permisisons on the cacls.exe file
itself?

________________________________________
Atrax. MVP, IIS
http://rtfm.atrax.co.uk/

newsflash : Atrax.Richedit 1.0 now released.
http://rtfm.atrax.co.uk/infinitemonkeys/components/Atrax.RichEdit/

 

[ewallig]

Good idea, but if I log on as one of the users and then
run the CACLS command from the CLI, it runs without a
problem - its just having problems running from the web
page.

I had this problem when I was using W2K Server; the
solution was to set the Process Isolation to Low but that
hasn't helped in this case.

Thanks for the input though...

 

[ewallig]

OK, more information - I ran FileMon while attempting to
execute the web page under a non-admin user. Here's what I
got:

821 9:15:53 AM inetinfo.exe:3208 IRP MJ_CREATE
C:\WINDOWS\system32\cmd.exe ACCESS DENIED Attributes:
Any Options: Open

This happens everytime a non-admin user tries to run this
page, but not whne an admin runs it - any idea who and
what I need to grant permissions to?


Thanks

 

[ewallig]

Hi again,

As it turns out, you were really close with your
suggestion about permissions on CACLS. It turns out that
Windows 2003 / IIS 6 does not implicitly allow access to
external system functions (anything in System32) from a
web page to anyone other than administrators.

So even though my users could access the command prompt
normally and could run CACLS from vbscripts (or from the
CLI) they could not run CACLS from ASP because the code
calls the command prompt to run it.

Adding their groups to the CMD.exe ACL list and giving
them Read and Execute solved the problem.


Thanks again,

Ed Wallig
Network Administrator
GCF Global Learning