NetUserGetLocalGroups returns ERROR_ACCESS

Discussion:

NetUserGetLocalGroups returns ERROR_ACCESS_DENIED

(too old to reply)

Paul Vezzetti

2003-10-01 20:15:52 UTC

I am trying to determine what local groups a user is a
member of by calling NetUserGetLocalGroups. The process
is running under the local Administrator account. The
server is a member server in a domain. I am trying to
determine the local group membership for a domain user.
NetUserGetLocalGroups returns ERROR_ACCESS_DENIED.

This doesn't make sense to me. Shouldn't the local
Administrator be able to determine if a user is a member
of the local groups?

Paul Vezzetti

2003-10-01 20:43:47 UTC

Permalink

I did discover that if I don't set the LG_INCLUDE_INDIRECT
flag then it is successful. Of course, I need to know if
the user is part of a global group within the local group
so it doesn't help much.

-----Original Message-----
I am trying to determine what local groups a user is a
member of by calling NetUserGetLocalGroups. The process
is running under the local Administrator account. The
server is a member server in a domain. I am trying to
determine the local group membership for a domain user.
NetUserGetLocalGroups returns ERROR_ACCESS_DENIED.
This doesn't make sense to me. Shouldn't the local
Administrator be able to determine if a user is a member
of the local groups?
.

John Eikanger [MSFT]

2003-10-02 17:55:00 UTC

Permalink

Hi, Paul

I've asked a Net API specialist to respond to your post. If he has not
done so by close of business on Friday, please post that information here
and I will expedite.

Thank you for choosing the MSDN Managed Newsgroups,

John Eikanger
Microsoft Developer Support

This posting is provided AS IS with no warranties, and confers no rights.
"Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computers security."
--------------------
| Content-Class: urn:content-classes:message
| From: "Paul Vezzetti" <***@us.ibm.com>
| Sender: "Paul Vezzetti" <***@us.ibm.com>
| References: <0dc701c38858$cffd9d30$***@phx.gbl>
| Subject: NetUserGetLocalGroups returns ERROR_ACCESS_DENIED
| Date: Wed, 1 Oct 2003 13:43:47 -0700
| Lines: 19
| X-Tomcat-NG: microsoft.public.win32.programmer.networks
|
| I did discover that if I don't set the LG_INCLUDE_INDIRECT
| flag then it is successful. Of course, I need to know if
| the user is part of a global group within the local group
| so it doesn't help much.
|
|
| >-----Original Message-----
| >I am trying to determine what local groups a user is a
| >member of by calling NetUserGetLocalGroups. The process
| >is running under the local Administrator account. The
| >server is a member server in a domain. I am trying to
| >determine the local group membership for a domain user.
| >NetUserGetLocalGroups returns ERROR_ACCESS_DENIED.
| >
| >This doesn't make sense to me. Shouldn't the local
| >Administrator be able to determine if a user is a member
| >of the local groups?
| >.
| >
|

Ramesh Thangavelu [MSFT]

2003-10-02 21:24:16 UTC

Permalink

Hi Paul,

Please review the following article that speaks about the Security
Requirements for the Network Management Functions
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/net
mgmt/security_requirements_for_the_network_management_functions.asp

Only authenticated users can successfully execute the NetUserGetLocalGroups
function.
Is the user of the process (calling NetUserGetLocalGroups) logged onto the
domain?
What OS is the process running on? Is the process an executable? Is this an
active directory domain?

Thank You,
Ramesh Thangavelu
Microsoft, NetApi

This posting is provided "AS IS", with no warranties, and confers no rights.

Paul Vezzetti

2003-10-03 16:55:20 UTC

Permalink

We actually have two failing scenerios. One is at a
customer. The other in our lab.

For both cases the OS is Win2000 Server with Active
Directory domains. At the customer, the process is
running as a service under a Domain Admin account. In our
lab, the process is a service running under the local
Administrator account. We get the access_denied return
code when we attempt to get the local groups for a domain
user.

-----Original Message-----
Hi Paul,
Please review the following article that speaks about the

Security

Requirements for the Network Management Functions
http://msdn.microsoft.com/library/default.asp?

url=/library/en-us/netmgmt/net

mgmt/security_requirements_for_the_network_management_func

tions.asp

Only authenticated users can successfully execute the

NetUserGetLocalGroups

function.
Is the user of the process (calling

NetUserGetLocalGroups) logged onto the

domain?
What OS is the process running on? Is the process an

executable? Is this an

active directory domain?
Thank You,
Ramesh Thangavelu
Microsoft, NetApi
This posting is provided "AS IS", with no warranties, and

confers no rights.

Ramesh Thangavelu [MSFT]

2003-10-06 23:30:19 UTC

Permalink

Hi Paul,

You might want to check the security rights of the NT Service that is
calling the NetUserGetLocalGroups function.
Please note that the 'local Administrator Account' will fail with ACCESS
DENIED when you specify the flag LG_INCLUDE_INDIRECT. When the flag
LG_INCLUDE_INDIRECT is specified then the api has to look into the domain
level global groups to which the local group is an indirect member and for
this the account calling NetUserGetLocalGroups function should also have
domain level access as well. Needs authenticated users i.e. local
authentication and domain level authentication when using
LG_INCLUDE_INDIRECT flag.
From the control panel - you can try and run your NT service with an
account that has both local authentication and domain level authentication
when using LG_INCLUDE_INDIRECT flag.

Thank You,
Ramesh Thangavelu
Microsoft, NetApi