net user /domain returning Error 5 - Access is denied

active-directory windows-server-2008-r2

I do have a domain where the default ACLs have been altered on all user and computer objects and the List Object Mode (Access Based Enumeration for directory objects) has been enabled. Most notably, the Everyone:Read permission has been removed from the list for most directory objects so users are unable to read "foreign" objects to comply with a privacy protection policy.

In this constellation, an application's client (based on the UniPaas Framework if this matters) is trying to read a specific user's group memberships and fails for an unknown reason. From the software manufacturer we got a simple test case where a net user %USERNAME% /domain is failing with an Error 5 - Access is denied in this infrastructure. The network protocols net use is using and the way how it is failing corresponds to what we are seeing when taking network traces of the application.

I am now somewhat as a loss as I do not know anything about the internals of the net user call (especially what API it is using to read the attributes and which permission the user has to have to get them). How do I start debugging this?

Edit: one thing I came up with was running Wireshark to record the network traffic induced by a net user %username% /domain call. Everything looks good up to the point where a SAMR OpenDomain call is issued for the BUILTIN domain (S-1-5-32) which returns STATUS_ACCESS_DENIED, after which all connections are torn down. See packets 33 and 34 in this pcap trace. This seems to be the reason for the Access denied response from net user, although I have no idea what is going wrong here.


It looks like you've somehow managed to prevent enumeration of the builtin groups. That net user call opens connections to two domains as part of it's operation:

  1. To your AD Domain based on the domain SID.
  2. To the BUILTIN domain based on the widely known SID for that (S-1-5-32).

Most of the queries are done to the first connection, one is passed through the second. This pass turns $YOURDOMAIN\Domain Users into the widely known principle of BUILTIN\Domain Users (S-1-5-32-545), which the system knows to treat special. When the connection to the BUILTIN domain is rejected, the whole call fails.

Check the permissions for the Builtin AD container in your domain tree - it should have an "Authenticated Users:Read" ACE. Also the enumeration of the Builtin container should be allowed - an Authenticated Users:Read ACE for the top level of the domain should take care of this too.

Related

Does your company allow Skype in network? [closed]
Unexpected results from an XML query filter for security event log
Interesting opensource projects to contribute to as a sysadmin? [closed]
Send email from server without creating new Office 365 user account/mailbox
How to prevent Apache from prepending REDIRECT_ to environment variables when running php as CGI?
Why are emails sent from my applications being marked as spam?
NGINX Dynamic Port proxy_pass
Traffic shaping: tc filter catch all filter
IPv6 Address in SSL Certificate
List directories not containing a file
Is the IIS SMTP Server good enough for a production server?
Problem running MVC3 app in IIS 7