mafiatfc

Make sure on your register.php page to also escape special characters when reading in values from your $_POST variables because it is possible to input data directly into the URL.

I managed to fix the problem. Instead of using icacls the way I was using it above, I have taken the user's SID from Active Directory upon creation and used the SID in icacls.

I have made a webpage for creating Active Directory users. The page makes the user in AD then uses icacls on a share to give that new user rights to the home directory. When the user and their home directory is deleted from active directory and recreated with the same name it obviously has a new SID. When the page goes through its code it appears that icacls uses the SID that was previously used therefore the user cant save to their home directory because they have the wrong permissions. Now, if I disable the icacls portion of the PHPpage and just have it create a user and then type in the icacls command manually in cmd.exe it finds the correct SID. This is the line from the page: $output = shell_exec("icacls \\\\dc\\share\\" . $username . " /grant " . $adDomainShort . "\\" . $username . ":(OI)(CI)(M)") or die("cacles died"); Is there a way to make the page get the current SID instead of the old one from the previously deleted user?

I figured it out. I created a service account in active directory. On the remote web server IIS, I used anonymous authentication using an application pool with the domain service account as the user. On the remote shares I have the domain service account with rights to the shared folder. Now I am able to use mkdir and shell features like icacls to assign user rights to folders inside the share.

There is the IUSR_* account that IIS runs under. Isn't this user local to the server running IIS, in which I would not be able to use this username on a different server's share?

Yes, on the file server I have permissons set for "Everyone" and that permission has full rights to the share. If I access the share through windows I can create/delete files and folders, however the PHP script mkdir gets a permission denied. I wonder if there is some kind of user settings for IIS?

I have a domain controller in which I have much code written to create a domain user via a PHP webpage. I have a seperate webserver running IIS7 with PHP 5.2. I need to create a folder in a unc path on our file server. The example code I'm trying to get to work is: <?php mkdir("\\\\x.x.x.x\\users\\testuser"); ?> The problem: "Warning: mkdir(): Permission denied" My goal is: after a user is created in Active Directory (which I have working), I need to create that user's home directory on our file server. I've tried setting permissions on the file server share for Everyone as full.