0

At first, my mother tongue is not English, so I apologize for the possible mistakes.

I'm working on a WS2008R2 server with an Active Directory and a web platform manages this AD with C# code.

A group of users have to be able to create user accounts but during the procedure, a disk quota for this new account is (and have to be) created. As the "creator" must not be a member of the Administrators group, the access to the c/: disk is denied.

So, I want to perform the File Server Resource Manager operations with C# code by an non-admin account. The code is correct, it works normally with admin account. So, the problem turns around the permissions on the hard drive.

I've looked after help on the Internet, without success. It seems that quota delegation is impossible. Only admin can perform this.

A colleague helped me a bit, and found the GPO "By pass traverse checking" on a forum but it doesn't seems to be the good way.

Any help would be appreciate.

Nate B.
  • 199
  • 1
  • 2
  • 11
  • Administrating AD and administrating FSRM are two separate things. You can have a user who is not a domain administrator, but is a local administrator of your file server. Are you trying to run a Domain Controller and FSRM on the same server? – Chris Thorpe Aug 31 '11 at 13:00
  • Yes, I do. It's exactly my case. – Nate B. Aug 31 '11 at 13:16
  • can you please share the code? –  Dec 12 '12 at 10:05

1 Answers1

3

Administration FSRM requires local administrator privileges on the FSRM host server (Source).

When you upgrade a server to a domain controller, it ceases to have any local accounts at all. All of it's accounts become domain accounts. It's local administrator becomes the domain administrator account. At this point, the local administrator of the server and the domain administrator are one and the same thing.

Since FSRM requires local administrator permissions to configure, and your server is a domain controller with no local accounts, you are now in a situation where you must have domain administrator privilege to administrate your FSRM instance.

Your possible solutions for this are:

  • Separate your File Server and Domain Controller (this is best-practice), either onto 2 separate physical servers, or into two separate VMs (e.g. using Hyper-V).
  • Wait until the next version of Windows Server, and see if a feature for FSRM delegation has been added.
  • Accept the risk of running your software with Domain Administrator credentials.
Chris Thorpe
  • 9,953
  • 23
  • 33
  • Thanks a lot for your complete answer. Until the end, I hoped that there was a different way to solve this issue. But obviously there is not. Thanks again ! – Nate B. Sep 01 '11 at 06:45
  • I solved the problem by creating an .exe that do what I want. I call it when I want to get, set or delete quotas. The default user chosen by the application pool of IIS execute the file, and this user is a member of admin member and secured. So, I used a "rogue" technique, but it works. Thank you again. (Do you wan me to share the code?) – Nate B. Oct 06 '11 at 14:09