This will not work (verified!) for code run from under an unmanaged
Windows service account (NT_Service\...), once the machine changes its
password per security policy (the access then becomes anonymous and will
result in only first 100 entries returned):
winsup\cygwin\passwd.cc:
else if (group)
ret = NetGroupEnum (NULL, 2, (PBYTE *) &buf, MAX_PREFERRED_LENGTH,
&max, &total, &resume);
else
ret = NetUserEnum (NULL, 20, FILTER_NORMAL_ACCOUNT, (PBYTE *) &buf,
MAX_PREFERRED_LENGTH, &max, &total,
(PDWORD) &resume);
This is what I was trying to point out, in my earlier message...
Anton Lavrentiev
Contractor NIH/NLM/NCBI
P.S. This behavior is obscurely documented in here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370610(v=vs.85).aspx
(by the virtue of that page is pointed to from NetUserEnum and NetGroupEnum:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370652(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370428(v=vs.85).aspx)
<quote>
The number of entries returned by this function depends on the security
descriptor located on the root domain object. The API will return either the
first 100 entries or the entire set of entries in the domain, depending on the
access privileges of the user. The ACE used to control this behavior is
"SAM-Enumerate-Entire-Domain", and is granted to Authenticated Users by
default. Administrators can modify this setting to allow users to enumerate the
entire domain.
</quote>
The bad thing is that there is error indication at reaching the 100,
so it just looks like your environment has suddenly reduced to exactly 100
users...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
