 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2007Setting directory permissions (.NET)
Hi, I have a requirement to set, programmatically, permissions on users' home and profile directories when they are created. I've sussed out the majority of them, but am at a loss as how to achieve this final one. There is a setting called "Apply onto", which is set manually in the "Permission Entry For" dialog by selecting from a combo box. I want to programmatically set this property for each user with permissions on the folder to "This folder, subfolders and files". The procedure for doing this manually would be: * Right click on the folder and select Properties * Select the Security tab * Click the Advanced button * Select a user and click the Edit... button * Select "This folder, subfolders and files" from the Apply onto combo box The full spec from the admins is as follows: * Home directory * User and domain admins to have full control, <not inherited>, applied to "This folder, subfolders and files" * Profile dirctory * User, Domain Admins, and IT Advisors to have full control, <not inherited>, "This folder, subfolders and files" I've managed to set the <not inherited> property by using the NoPropagateInherit propagation flag, but I can't find anything that applies to the "Apply onto" propery. Thanks Peter I'm not sure the exact setting to recommend to you, but the technique I usually use when doing this type of stuff is to take before and after snapshots in code of the security descriptor and compare the differences you got when you make the change you want in the UI. That technique nearly always reveals the difference and the setting you need. Joe K.  SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Hi, > [quoted text clipped - 32 lines] > > Peter > I'm not sure the exact setting to recommend to you, but the technique I > usually use when doing this type of stuff is to take before and after [quoted text clipped - 3 lines] > > Joe K. Thanks, Joe. I think I probably need a translation, but in the first instance I'll talk to our admins who will probably have a better idea than me. If they need a translation as well, I'll get back to you if that's OK. Thanks Peter > I'm not sure the exact setting to recommend to you, but the technique I > usually use when doing this type of stuff is to take before and after [quoted text clipped - 3 lines] > > Joe K. Thanks, Joe. I think I probably need a translation, but in the first instance I'll talk to our admins who will probably have a better idea than me. If they need a translation as well, I'll get back to you if that's OK. Thanks Peter >> I'm not sure the exact setting to recommend to you, but the technique >> I usually use when doing this type of stuff is to take before and [quoted text clipped - 13 lines] > > Peter Usual apologies for replying to self and for the double post in my last reply (mea culpa). Joe (or anyone else who's interested, of course), I tried to create a program that would create a snapshot as you suggested, using the code in your excellent book (pp302,303). I get stuck on the call to GetAccessRules(), because I don't know how to get something I can pass as the third parameter (presumable the sid for the folder???). Here's what I have so far: namespace Uwic.ACEList { class AceList { static void Main(string[] args) { DirectoryInfo dInfo = new DirectoryInfo(@"C:\VisualStudio2005Projects\ACEListSolution\ACEList"); DirectorySecurity dSecurity = dInfo.GetAccessControl(); AuthorizationRuleCollection rules = null; rules = dSecurity.GetAccessRules(true, true, typeof(?????)); } } } Hi Peter, Does this snippet help? Dim fi As New FileInfo("C:\msnlog.txt") Dim fs As New FileSecurity Dim obTypeToGet As Type fs = fi.GetAccessControl() obTypeToGet = Type.GetType("System.Security.Principal.NTAccount") For Each ace As FileSystemAccessRule In fs.GetAccessRules(True, True, obTypeToGet) Debug.Print(ace.IdentityReference.Value) Next Now if only Joe could tell me why this returns an empty collection???? For Each aRule As FileSystemAuditRule In fs.GetAuditRules(True, True, obTypeToGet) Debug.Print(aRule.IdentityReference.Value) Next :-) Dan >>> I'm not sure the exact setting to recommend to you, but the technique I >>> usually use when doing this type of stuff is to take before and after [quoted text clipped - 38 lines] > } > } Hey, In c# lingo... rules = dSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); Dan >>> I'm not sure the exact setting to recommend to you, but the technique I >>> usually use when doing this type of stuff is to take before and after [quoted text clipped - 38 lines] > } > } It is also faster if you don't convert to NTAccount and just use SecurityIdentifier. If you don't need the SIDs translated into names (which in this case I don't think is required since we are interested in other aspects of the ACE, not the trustee), this is probably better. Translating usually doesn't hurt unless a specific SID can't be translated for some reason. Joe K. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Hey, > In c# lingo... [quoted text clipped - 45 lines] >> } >> } > It is also faster if you don't convert to NTAccount and just use > SecurityIdentifier. If you don't need the SIDs translated into names (which [quoted text clipped - 4 lines] > > Joe K. OK, so I find that the inheritance flags need to be set to "ContainerInherit, ObjectInherit"; but these flags are readonly. Does anyone know how I can set them?? Thanks again Peter > OK, so I find that the inheritance flags need to be set to > "ContainerInherit, ObjectInherit"; but these flags are readonly. Does [quoted text clipped - 3 lines] > > Peter Sometimes you just want to curl up and die, don't you? Sorry guys. I worked it out. It's in the FileSystemAccessRule constructor. Many thanks for all your help. Peter > Hey, > In c# lingo... > rules = dSecurity.GetAccessRules(true, true, > typeof(System.Security.Principal.NTAccount)); > Dan ... which is exactly what is in Joe's book. Thanks, Dan. I have many faults as a programmer, but the worst is making assumptions about what won't work without even trying it. In this case I assumed that NTAccount would not work and that something else was needed. Grrr! Peter Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.