[jcifs] Re: NetLocalGroupEnum / NetLocalGroupGetMembers

Jake Goulding goulding at vivisimo.com
Wed Apr 4 21:21:48 GMT 2007 

Well, the problem is that I don't need the local groups, but need the 
members of those groups... a short example:

Active Directory users: A & B.
Fileserver F has local group G, containing A & B, and an ACL that says 
file Z can be read by group G.

If I get the ACL for Z, I will get group G back (this is me assuming...).

Later on, user A logs in to our system and tries to do a search. We 
query Active Directory at that time to see what rights A has. Since G is 
a local group, Active Directory will not know anything about it. Our 
security checks will say that A cannot access Z.

What I'd like to be able to do is (perhaps separately from jcifs?) query 
a server to get the local groups, then find all the members of those 
local groups (recursing until I no longer hit local groups).

Thanks!

Michael B Allen wrote:
> On Wed, 04 Apr 2007 17:09:09 -0400
> Jake Goulding <goulding at vivisimo.com> wrote:
>
>   
>> I've got a case where some customers have an Active Directory setup for 
>> the whole organization, but specific fileservers have local groups 
>> comprised of these AD users/groups. I'd like to be able to list the 
>> local groups on the remote server and resolve them until I end up at 
>> either a AD User or AD Group. Does anyone have any advice on how to do this?
>>
>> MSDN reference for the 2 relevant functions (I think):
>> NetLocalGroupEnum
>> http://msdn2.microsoft.com/en-us/library/aa370440.aspx
>>
>> NetLocalGroupGetMembers
>> http://msdn2.microsoft.com/en-us/library/aa370601.aspx
>>     
>
> Mmmm, I thought this worked already provided the DCERPC handle for the
> MsrpcLookupSids call was the file server itself which IIRC is how the code
> currently works. The MsrpcLookupSids call doesn't return local groups?
>
> Maybe you would have to implement new RPCs (I guess the ones you cite,
> not sure).
>
> Mike
>
>   

-- 

JAKE GOULDING
Software Engineer
goulding at vivisimo.com

Viví­simo [Search Done Right™]
1710 Murray Avenue
Pittsburgh, PA 15217 USA
tel: +1.412.422.2499 x105
fax: +1.412.422.2495
vivisimo.com      clusty.com

More information about the jcifs mailing list