AspNTUser
Frequently Asked Questions
Copyright
ã 1997 - 1998 Persits Software, Inc.All rights reserved.
Q. The component lists all users and groups just fine, but when I try to add a user or change membership information, I get an "Access Denied" message. Why?
A. The component runs in the security context of IUSR_xxx if Anonymous access is allowed for this directory, or that of the logged-in user otherwise. Adding users, changing membership info etc. requires administrative privileges. If the current user lacks these privileges, Windows NT will disallow the operation and the Access Denied exception will be thrown by the component.
Q. Whenever I try to user UM.LogonUser, I get the message "Privilege not held. You must have "Act as Part of the Operating System" privilege to use this method". What should I do to avoid it?
A. Most probably, your virtual directory has the "Run in separate memory space" option checked. This causes Windows NT to disallow calling LogonUser unless the user has the privilege "Act as Part of Operating System". You have two options: disable "Run in separate memory space" for this virtual directory, or grant this privilege to all the users of your application (go to User Manager, select Policies/User Rights, check "Show Advanced User Rights", select "Act as Part of Operating System", add desired users).
Q. I want to use Basic Authentication on a certain directory, but I don't want my users to see the pop-up logon dialog box. Can I use LoginUser to impersonate a user and avoid the dialog box?
A. No. If you use Basic Authentication, the logon dialog box will pop up whether you call UM.LogonUser or not. But you can use LogonUser to validate a username/password against a Windows NT account database, like this:
On Error Resume Next
UM.LogonUser Session("Domain"), Session("UserID"), Session("PWD")
If Err <> 0 Then
Response.Redirect "AccessDenied.html"
End If
In this example, Domain, Username and Password are collected from an "open" HTML form and validated against an NT account database.
Q. My NT server has several hundred user accounts. When I say
Set User = UM.Users( "username")
it takes quite some time to retrieve a single account. Is there a way to speed up this process?
A. Yes. When you use collection objects such as Users or Groups, the component loads all users into memory, which may take some time for a large number of user accounts. To retrieve a single domain or local user account, you may instead choose to call UM.GetUser("username") and UM.GetUser("username", False ), respectively.
Q. I'd like to be able to manage dial-in permissions. Can AspNTUser help me do that?
A. Starting with version 1.04, the component's User object has properties and methods to get and set dial-in permissions. See the User object reference in the manual for more information.
Q. I'd like to be able to handle multiple domains with AspNTUser, but it always seems to retrieve user and group accounts from the local domain controller. Setting UM.Server to the other domain's controller does not seem to help.
A. Starting with version 1.04, you can specify a domain other than the one AspNTUser is installed on. Simply say
UM.Domain = "MyDomainName"
Q. What is the easiest way to check if a certain user belongs to a certain group?
A. The following code checks if the local user jsmith belongs to the local group "my group".
Set gr = UM.LocalGroups("my group")
If Not gr.LocalUsers("jsmith") Is Nothing Then
' do something
End If