I'm really out of my comfort zone when it comes to permisions. But I want to create a folder and give all users Full Control over it.
DirectoryInfo NewDir = Directory.CreateDirectory(#"C:\Test");
DirectorySecurity dSecur = NewDir.GetAccessControl();
FileSystemAccessRule fAccess =
new FileSystemAccessRule("Users", FileSystemRights.FullControl,AccessControlType.Allow);
dSecur.AddAccessRule(fAccess);
NewDir.SetAccessControl(dSecur);
But the pic below shows that Users Still doesn't have Full Control.
Am I missing something? Thanks!
If you want full control then you need to pass both ContainerInherit and ObjectInherit for the InheritanceFlags.
new FileSystemAccessRule(
User,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
And be sure that run under a user with enough rights to grant full control the other user.
Related
I am trying to write a tool, limiting the ability to mess up file server structures. Within this project I am trying to limit the user to save files in directories, but prevent the user from creating subdirectories in specific folder. The subdirectory will be created another way, wich already works.
But I am facing the problem, that ntfs permission seem to mix "create directories" and "append data". Now the "append data" part is the one (when on deny) preventing users from saving files in a directory, wich is not wanted. But when on allow, the same permission makes it possible to create subdirectories.
In windows explorer security window the both permissions are set with the same checkbox, but as the enumeration FileSystemRights has both CreateDirectories and AppendData, I thought I could set them appart from another.
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.CreateDirectories, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Deny)
);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.AppendData, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow)
);
directoryInfo.SetAccessControl(directorySecurity);
But when setting one to allow and one to deny, both are denied.
Any thoughts or hints on this?
The problem is solved the following way:
// Create a new DirectoryInfo object.
DirectoryInfo directoryInfo = new DirectoryInfo(_folderPath);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
SecurityIdentifier sidAll = new SecurityIdentifier("S-1-1-0");
//Set the permissions for files in that folder to allow
FileSystemRights rights = FileSystemRights.Modify |
FileSystemRights.ReadAndExecute |
FileSystemRights.ListDirectory |
FileSystemRights.Read |
FileSystemRights.Write
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow)
);
FileSystemRights subfolderRights = FileSystemRights.CreateDirectories |
FileSystemRights.DeleteSubdirectoriesAndFiles |
FileSystemRights.Delete;
//Set the rights for subfolders of the
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
subfolderRights,
InheritanceFlags.ContainerInherit, PropagationFlags.None,
AccessControlType.Deny)
);
// Set the new access settings.
directoryInfo.SetAccessControl(directorySecurity);
Note the differences in the InheritanceFlags-parameters and the AccessControllType-parameters. A friend of mine gave me the solution, but I was not yet able to investigate on the differences of the InheritanceFlags-parameters. As soon as I have had the time, I will try to give a hint on how they work.
The SecurityIdentifier sidAll is here just used as an example.
(This may be better suited to ServerFault - if so please migrate it!)
We recently upgraded servers from Windows 2003 to Windows 2008. We have now been getting reports that certain PDF files which are dynamically generated are giving "access is denied" messages. I've verified that the folder has "Full Control" to the user group that is being utilized, yet it seems that intermittently files are created without inheriting the parent permissions.
For instance, the parent folder is called Paperwork. The "Users" group is set up to have full control to all files and subfolders within that directory. This works 95% of the time. Once in a while, though, a file will be created and when I view the security permission for that file, the "Users" group does not have Full Control access.
Is there something programmatic that needs to be changed for Windows Server 2008, or is this a configuration issue on the server itself?
take a look at this
try this :
private DirectorySecurity GetDirectorySecurity(string owner)
{
const string LOG_SOURCE = "GetDirectorySecurity";
DirectorySecurity ds = new DirectorySecurity();
System.Security.Principal.NTAccount ownerAccount =
new System.Security.Principal.NTAccount(owner);
ds.SetOwner(ownerAccount);
ds.AddAccessRule(
new FileSystemAccessRule(owner,
FileSystemRights.FullControl,
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow));
//AdminUsers is a List<string> that contains a list from configuration
// That represents the admins who should be allowed
foreach (string adminUser in AdminUsers)
{
ds.AddAccessRule(
new FileSystemAccessRule(adminUser,
FileSystemRights.FullControl,
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow));
}
return ds;
}
ref :
File permissions do not inherit directory permissions
I have two machines, call them client and server, in a Windows domain. The server has a shared directory which can be accessed from the client machine. I want to run a C# application on the client which sets the permission on this share to inherit the permissions of the share's parent directory on the server. How do I do this?
I have tried code along the following lines, but I don't think it has the right effect:
DirectoryInfo shareDirectoryInfo = new DirectoryInfo("\\server\share");
DirectorySecurity directorySecurity = shareDirectoryInfo.GetAccessControl();
directorySecurity.SetAccessRuleProtection(false, false);
InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, iFlags, PropagationFlags.InheritOnly, AccessControlType.Allow);
bool modified;
directorySecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out modified);
if (modified)
{
Directory.SetAccessControl(name, directorySecurity);
}
I guess I don't understand why I have to create a FileSystemAccessRule for the directory - how can I just say inherit from parent?
Thanks for any help! Martin
You can set the folder to inherit from parent by using SetAccessRuleProtection
DirectoryInfo targetFolder = new DirectoryInfo(#"\\server\share");
DirectorySecurity folderSecurity = targetFolder.GetAccessControl(); // Existing security
folderSecurity.SetAccessRuleProtection(false, true); // This sets the folder to inherit
targetFolder.SetAccessControl(folderSecurity);
EDIT: The msdn document explains that if false is sent as the first argument, then the second argument is ignored.
I have a C# code which creates a folder and sets some permissions on it. Here is the code sample:
static void Main(string[] args){
Directory.CreateDirectory("C:\\vk07");
DirectorySecurity dirSec = Directory.GetAccessControl("C:\\vk07");
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers", FileSystemRights.ReadAndExecute, AccessControlType.Allow));
Directory.SetAccessControl("C:\\vk07", dirSec);
}
When I check the permissions set on the folder created above, instead of having Read and Modify (which is what I have set in the code), it shows only "Special Permissions" as checked.
Please can some one help me with this? I am new to ACL, so don't understand it very well.
I was having this same problem, The actual reason is if you look at that network service picture from the other post, it is applying to files only. The basic permissions will only show up on the first picture if they say "This folder, subfolders, and files" To do this, you need to set the two flags -InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit.
Try
'If destination directory does not exist, create it first.
If Not Directory.Exists(path) Then Directory.CreateDirectory(path)
Dim dir As New DirectoryInfo(path)
Dim dirsec As DirectorySecurity = dir.GetAccessControl()
'Remove inherited permissions
dirsec.SetAccessRuleProtection(True, False)
'create rights, include subfolder and files to be inherited by this
Dim Modify As New FileSystemAccessRule(username, FileSystemRights.Modify, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
Dim Full As New FileSystemAccessRule(admingroup, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
dirsec.AddAccessRule(Modify)
dirsec.AddAccessRule(Full)
'Set
dir.SetAccessControl(dirsec)
Catch ex As Exception
MsgBox(ex.Message)
End Try
This code works for me:
security.AddAccessRule(
new FileSystemAccessRule(
"domain\\login",
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow
));
I also had this problem. After executing the following code:
var security = Directory.GetAccessControl(folderPath);
security.AddAccessRule(
new FileSystemAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
FileSystemRights.Modify,
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
);
Directory.SetAccessControl(folderPath, security);
...then the Properties Dialog for folderPath would appear as follows:
As you mentioned, only 'Special Permissions' is checked, but if you click Advanced, then you see:
Notice that in this dialog NETWORK SERVICE has the modify permission.
It seems as though when you set permissions programmatically Windows does not show these permissions within the folder properties dialog, but they still exist under advanced security settings. I also confirmed that my Window service (running as NETWORK SERVICE) was then able to access files within folderPath.
FileSystemRights.ReadAndExecute doesn't allow you to modify. This is for read-only.
You would need FileSystemRights.Modify for the full range.
You may want to check out for the options available.
here is an example of the above:
String dir = #"C:\vk07";
Directory.CreateDirectory(dir);
DirectoryInfo dirInfo = new DirectoryInfo(dir);
DirectorySecurity dirSec = dirInfo.GetAccessControl();
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers",FileSystemRights.Modify,AccessCo‌ntrolType.Allow));
dirInfo.SetAccessControl(dirSec);
I got the same code to work in VB, setting FileSystemRights.FullControl.
Dim fsRule As FileSystemAccessRule = New FileSystemAccessRule(sid, FileSystemRights.FullControl, (InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit), PropagationFlags.None, AccessControlType.Allow)
I've been having problems programatically assigning permissions to Folders / Registry entries. I have managed to assign inheriting permissions using the following code:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
DirectorySecurity security = new DirectorySecurity();
security.SetAccessRule(rule);
Directory.CreateDirectory(dir);
Directory.SetAccessControl(dir, security);
This correctly sets my file permissions on all the child folders i create as an administrator. However, it does not set the permissions on the dir folder itself. I've played around with a fair few permutations for inheritance and propogation, but not had any joy.
For example, I have:
dir = %programfiles%\Test
If i have created a folder in test (%programfiles%\Test\SubFolder), I have full permissions assigned to it for my user, but I do not have full permissions on %programfiles%\Test. This is really annoying, as I would like to give my user full permissions to do whatever with the Test directory as well.
I am having similar problems with registry permissions, but I believe that if i can solve one, i can solve both of the outstanding issues.
Does anyone know how this can be resolved?
Regards
Tris
For the folder:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, AccessControlType.Allow);
For subfolders and files:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
both lines need to be in your project. then you get acls that apply to this folder, subfolders and files
I'm hardly an expert here, but after having to figure this out for my own purposes, I believe that Dave's answer, although functional, is overly complicated. You should be able to achieve this with just one rule:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
The PropagationFlags.InheritOnly parameter used by the OP in their original code is what prevents the access rule from applying to the object itself.
Also, you might as well set the directory's security as you're creating it, since .NET provides an overload for just that purpose:
Directory.CreateDirectory(dir, security);