Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
IADs::SetInfo fails with "Access Denied" under Credential Provider
Hi,
We are having a credential provider for Biometric devices and SmartCard logon. We are storing the credentials of domain users in Active Directory whose schema we extend with 2 proprietery attributes to the User object. When a password change is done through our credential provider we update the data in AD. Here is the problem (Win7 x32 client, Win2003 x32 server): Although the user objects in the AD schema have the right SYSTEM with Full Control the IADs::SetInfo fails with 0x80050007 "Access Denied". It is interesting that the "Get" functions work in the same sequence of calls. The same piece of code Works under our GINA on XP. I know that Winlogon.exe has all the privileges whereas LogonUI.exe is more restrictive (does not have SE_RESTORE_NAME etc.) but the privileges should not have anything to do with the rights. Right? When I give the TestUser object in ADSIEdit.msc/Domain/Users/TestUser the Everyone Full Control then it works. But LogonUI.exe runs under SYSTEM account and the TestUser having SYSTEM Full Control should/must be enough.Right? So what could be the reason for this error? I. |