Hi! I need to configure DCOM Security that applies to all COM servers on the computer using the registry. These ACLs are stored in the registry at the following locations: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineAccessRestriction= ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction= ACL How it is possible to receive all users from these ACLs using API? Please help. Quotation from MSDN begin *** Windows Server XP Service Pack 2 (SP 2) introduces enhanced default security settings for the Distributed Component Object Model (DCOM). Specifically, SP 2 introduces more granular rights that allow an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers. *** Alternatively, you can configure these ACL settings using the registry. These ACLs are stored in the registry at the following locations: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole \MachineAccessRestriction= ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole \MachineLaunchRestriction= ACL These are named values of type REG_BINARY that contain data that describe the ACL of the principals that can access any COM class or COM object on the computer. The access rights in the ACL are: These ACLs can be created using normal security functions. Note that COM_RIGHTS_EXECUTE rights must always be present, because the absence of this right generates an invalid security descriptor. Only users with Administrator rights can modify these settings. *** Quotation from MSDN end
Hi zyke, > How it is possible to receive all users from these ACLs using API? > Please help. A bit late to the game, but I thought I'd add here that I've used the ATL security primitive wrapper classes (CSecurityDesc, CSid, CDacl, etc -- see atlsecurity.h) in Visual Studio 2003 to write security info. So if you have ATL7.1 (that comes with VS2003), and care to try and get your head around the format of security descriptors, you could try and use those classes to read security info. -- Best Regards, Kim Grsman
