A Windows Vista forum. Vista Banter

Welcome to Vista Banter.

You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Go Back   Home » Vista Banter forum » Microsoft Windows Vista » Security and Windows Vista
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security)

IADs::SetInfo fails with "Access Denied" under Credential Provider



 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1 (permalink)  
Old October 19th 10, 03:36 PM posted to microsoft.public.adsi.general,microsoft.public.platformsdk.adsi,microsoft.public.platformsdk.security,microsoft.public.win2000.general,microsoft.public.windows.vista.security
Igor Jovanovski
external usenet poster
 
Posts: 1
Default IADs::SetInfo fails with "Access Denied" under Credential Provider

Hi,

We are having a credential provider for Biometric devices and
SmartCard logon.
We are storing the credentials of domain users in Active Directory
whose schema we extend with 2 proprietery attributes to the User
object.
When a password change is done through our credential provider we
update the data in AD. Here is the problem (Win7 x32 client, Win2003
x32 server):

Although the user objects in the AD schema have the right SYSTEM with
Full Control the IADs::SetInfo fails with 0x80050007 "Access Denied".
It is interesting that the "Get" functions work in the same sequence
of calls.
The same piece of code Works under our GINA on XP. I know that
Winlogon.exe has all the privileges whereas LogonUI.exe is more
restrictive (does not have SE_RESTORE_NAME etc.) but the privileges
should not have anything to do with the rights. Right?
When I give the TestUser object in ADSIEdit.msc/Domain/Users/TestUser
the Everyone Full Control then it works. But LogonUI.exe runs under
SYSTEM account and the TestUser having SYSTEM Full Control should/must
be enough.Right?
So what could be the reason for this error?

I.
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 12:16 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.Search Engine Optimization by vBSEO 3.0.0 RC6
Copyright ©2004-2024 Vista Banter.
The comments are property of their posters.