Setting directory permissions (.NET)

Hi,

I have a requirement to set, programmatically, permissions on users'
home and profile directories when they are created. I've sussed out the
majority of them, but am at a loss as how to achieve this final one.

There is a setting called "Apply onto", which is set manually in the
"Permission Entry For" dialog by selecting from a combo box. I want to
programmatically set this property for each user with permissions on the
folder to "This folder, subfolders and files".

The procedure for doing this manually would be:

* Right click on the folder and select Properties
* Select the Security tab
* Click the Advanced button
* Select a user and click the Edit... button
* Select "This folder, subfolders and files" from the Apply onto combo box

The full spec from the admins is as follows:

* Home directory
* User and domain admins to have full control, <not inherited>,
applied to "This folder, subfolders and files"
* Profile dirctory
* User, Domain Admins, and IT Advisors to have full control, <not
inherited>, "This folder, subfolders and files"

I've managed to set the <not inherited> property by using the
NoPropagateInherit propagation flag, but I can't find anything that
applies to the "Apply onto" propery.

Thanks



Peter

I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the differences you
got when you make the change you want in the UI. That technique nearly
always reveals the difference and the setting you need.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Peter Bradley" <pbradley (AT) uwic (DOT) ac.uk> wrote

Quote:

Hi,

I have a requirement to set, programmatically, permissions on users' home
and profile directories when they are created. I've sussed out the
majority of them, but am at a loss as how to achieve this final one.

There is a setting called "Apply onto", which is set manually in the
"Permission Entry For" dialog by selecting from a combo box. I want to
programmatically set this property for each user with permissions on the
folder to "This folder, subfolders and files".

The procedure for doing this manually would be:

* Right click on the folder and select Properties
* Select the Security tab
* Click the Advanced button
* Select a user and click the Edit... button
* Select "This folder, subfolders and files" from the Apply onto combo
box

The full spec from the admins is as follows:

* Home directory
* User and domain admins to have full control, <not inherited>,
applied to "This folder, subfolders and files"
* Profile dirctory
* User, Domain Admins, and IT Advisors to have full control, <not
inherited>, "This folder, subfolders and files"

I've managed to set the <not inherited> property by using the
NoPropagateInherit propagation flag, but I can't find anything that
applies to the "Apply onto" propery.

Thanks



Peter

Joe Kaplan wrote:

Quote:

I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the differences you
got when you make the change you want in the UI. That technique nearly
always reveals the difference and the setting you need.

Joe K.

Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Joe Kaplan wrote:

Quote:

I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the differences you
got when you make the change you want in the UI. That technique nearly
always reveals the difference and the setting you need.

Joe K.

Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Peter Bradley wrote:

Quote:

Joe Kaplan wrote:
I'm not sure the exact setting to recommend to you, but the technique
I usually use when doing this type of stuff is to take before and
after snapshots in code of the security descriptor and compare the
differences you got when you make the change you want in the UI. That
technique nearly always reveals the difference and the setting you need.

Joe K.



Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Usual apologies for replying to self and for the double post in my last
reply (mea culpa).

Joe (or anyone else who's interested, of course), I tried to create a
program that would create a snapshot as you suggested, using the code in
your excellent book (pp302,303). I get stuck on the call to
GetAccessRules(), because I don't know how to get something I can pass
as the third parameter (presumable the sid for the folder???). Here's
what I have so far:

namespace Uwic.ACEList
{
class AceList
{
static void Main(string[] args)
{
DirectoryInfo dInfo = new
DirectoryInfo(@"C:\VisualStudio2005Projects\ACELis tSolution\ACEList");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = null;
rules = dSecurity.GetAccessRules(true, true, typeof(?????));
}
}
}

Hi Peter,
Does this snippet help?

Dim fi As New FileInfo("C:\msnlog.txt")

Dim fs As New FileSecurity

Dim obTypeToGet As Type

fs = fi.GetAccessControl()

obTypeToGet = Type.GetType("System.Security.Principal.NTAccount" )

For Each ace As FileSystemAccessRule In fs.GetAccessRules(True, True,
obTypeToGet)

Debug.Print(ace.IdentityReference.Value)

Next



Now if only Joe could tell me why this returns an empty collection????

For Each aRule As FileSystemAuditRule In fs.GetAuditRules(True, True,
obTypeToGet)

Debug.Print(aRule.IdentityReference.Value)

Next

:-)



Dan





"Peter Bradley" <pbradley (AT) uwic (DOT) ac.uk> wrote

Quote:

Peter Bradley wrote:
Joe Kaplan wrote:
I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the differences
you got when you make the change you want in the UI. That technique
nearly always reveals the difference and the setting you need.

Joe K.



Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Usual apologies for replying to self and for the double post in my last
reply (mea culpa).

Joe (or anyone else who's interested, of course), I tried to create a
program that would create a snapshot as you suggested, using the code in
your excellent book (pp302,303). I get stuck on the call to
GetAccessRules(), because I don't know how to get something I can pass as
the third parameter (presumable the sid for the folder???). Here's what I
have so far:

namespace Uwic.ACEList
{
class AceList
{
static void Main(string[] args)
{
DirectoryInfo dInfo = new
DirectoryInfo(@"C:\VisualStudio2005Projects\ACELis tSolution\ACEList");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = null;
rules = dSecurity.GetAccessRules(true, true, typeof(?????));
}
}
}

Hey,
In c# lingo...
rules = dSecurity.GetAccessRules(true, true,
typeof(System.Security.Principal.NTAccount));
Dan



"Peter Bradley" <pbradley (AT) uwic (DOT) ac.uk> wrote

Quote:

Peter Bradley wrote:
Joe Kaplan wrote:
I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the differences
you got when you make the change you want in the UI. That technique
nearly always reveals the difference and the setting you need.

Joe K.



Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Usual apologies for replying to self and for the double post in my last
reply (mea culpa).

Joe (or anyone else who's interested, of course), I tried to create a
program that would create a snapshot as you suggested, using the code in
your excellent book (pp302,303). I get stuck on the call to
GetAccessRules(), because I don't know how to get something I can pass as
the third parameter (presumable the sid for the folder???). Here's what I
have so far:

namespace Uwic.ACEList
{
class AceList
{
static void Main(string[] args)
{
DirectoryInfo dInfo = new
DirectoryInfo(@"C:\VisualStudio2005Projects\ACELis tSolution\ACEList");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = null;
rules = dSecurity.GetAccessRules(true, true, typeof(?????));
}
}
}

It is also faster if you don't convert to NTAccount and just use
SecurityIdentifier. If you don't need the SIDs translated into names (which
in this case I don't think is required since we are interested in other
aspects of the ACE, not the trustee), this is probably better. Translating
usually doesn't hurt unless a specific SID can't be translated for some
reason.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dan" <nothing> wrote

Quote:

Hey,
In c# lingo...
rules = dSecurity.GetAccessRules(true, true,
typeof(System.Security.Principal.NTAccount));
Dan



"Peter Bradley" <pbradley (AT) uwic (DOT) ac.uk> wrote in message
news:OW1LefcNIHA.6108 (AT) TK2MSFTNGP03 (DOT) phx.gbl...
Peter Bradley wrote:
Joe Kaplan wrote:
I'm not sure the exact setting to recommend to you, but the technique I
usually use when doing this type of stuff is to take before and after
snapshots in code of the security descriptor and compare the
differences you got when you make the change you want in the UI. That
technique nearly always reveals the difference and the setting you
need.

Joe K.



Thanks, Joe. I think I probably need a translation, but in the first
instance I'll talk to our admins who will probably have a better idea
than me.

If they need a translation as well, I'll get back to you if that's OK.

Thanks


Peter

Usual apologies for replying to self and for the double post in my last
reply (mea culpa).

Joe (or anyone else who's interested, of course), I tried to create a
program that would create a snapshot as you suggested, using the code in
your excellent book (pp302,303). I get stuck on the call to
GetAccessRules(), because I don't know how to get something I can pass as
the third parameter (presumable the sid for the folder???). Here's what
I have so far:

namespace Uwic.ACEList
{
class AceList
{
static void Main(string[] args)
{
DirectoryInfo dInfo = new
DirectoryInfo(@"C:\VisualStudio2005Projects\ACELis tSolution\ACEList");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = null;
rules = dSecurity.GetAccessRules(true, true, typeof(?????));
}
}
}

Dan wrote:

Quote:

Hey,
In c# lingo...
rules = dSecurity.GetAccessRules(true, true,
typeof(System.Security.Principal.NTAccount));
Dan

.... which is exactly what is in Joe's book. Thanks, Dan.

I have many faults as a programmer, but the worst is making assumptions
about what won't work without even trying it. In this case I assumed
that NTAccount would not work and that something else was needed.

Grrr!


Peter

Joe Kaplan wrote:

Quote:

It is also faster if you don't convert to NTAccount and just use
SecurityIdentifier. If you don't need the SIDs translated into names (which
in this case I don't think is required since we are interested in other
aspects of the ACE, not the trustee), this is probably better. Translating
usually doesn't hurt unless a specific SID can't be translated for some
reason.

Joe K.

OK, so I find that the inheritance flags need to be set to
"ContainerInherit, ObjectInherit"; but these flags are readonly. Does
anyone know how I can set them??

Thanks again


Peter