Manage NTFS PERMISSIONS with System.Security.AccessControl

  • Thread starter Thread starter Roger Tranchez
  • Start date Start date
R

Roger Tranchez

Hello,

Recently, a manager from our company moved a lot of files and folders from
within our server's main data disk, and as a result, that data are not
inheriting the acls from the place they are now (it is a normal behaviour, of
course).

Instead of this, on the "inherited from" column you can read "Parent Object"
instead of the new folder it should inherit from.

As changing they manually could be too slooow (there are a lot of explicit
permissions that are not inherited from their parent folders, lots of groups,
and they all SHOULD BE PRESERVED) I was trying to make it with the
System.Security.AccessControl libraries in .net, trying to delete all these
nasty inherited permissions as long as I can find them with a search...

I made the recursive loop to search all the folders (no problem) but when I
use
the following code (the example is for only one file for the sake of
simplicity)...


Dim fi As New FileInfo("C:\test\b\f2.txt")

Dim fs As New FileSecurity

Dim obTypeToGet As Type

fs = fi.GetAccessControl()

obTypeToGet = Type.GetType("System.Security.Principal.NTAccount")

For Each ace As FileSystemAccessRule In fs.GetAccessRules(True,
True, obTypeToGet)

if ace.IsInherited and "THEY'RE INHERITED FROM 'PARENT FOLDER'" then
'Here I should delete all the permissions if I find that
"inherited from" is "Parent object"
'instead of a concrete folder you know... as it 'll indicate
they were moved.
endif

Next



.... I am not unable to:

-- Identify that "inherited from parent object" (ace.IsInherited=True ok...
but from wich folder ?)
-- I don't know what to do when I will be unable to identify those folders...
should I set it to not inherit , then delete all acls and then set it
again to inherit from actual parent object ?... how ?


Thanks !
 
Hi Roger,

Based on my understanding, the problem is the moved file does not inherite
from the new folder's permissions rule, right? We are trying to write
scripts to set the folder to inherite from the new parent object's
permission, right? I have a quick test in my side, but I see different
result from yours. When I move a text file from D:\Test1 folder to D:\Test2
folder. The thing I see is that text file inherites from the new folder
Text2's permission instead of the original one Test1 folder. As I know, if
we want the subfolder inherite from the parent folder, we need to make the
parent folder's permission rules apply to "this folder, subfolders, files".
Have you set it for the new target folder we move files into?


Best regards,
Colbert Zhou
Microsoft Online Support Team
 
Hello,

Thanks for your help ! ...

You said:
Based on my understanding, the problem is the moved file does not inherite
from the new folder's permissions rule, right?
YES.

We are trying to write
scripts to set the folder to inherite from the new parent object's
permission, right?
Click to expand...

YES, and erase all the other permissions.
I have a quick test in my side, but I see different
result from yours. When I move a text file from D:\Test1 folder to D:\Test2
folder. The thing I see is that text file inherites from the new folder
Text2's permission instead of the original one Test1 folder.
Click to expand...

Mmmh... Really ? I think you must be missing something; read this please:

(from http://www.tech-faq.com/ntfs-permissions-copy-move.shtml)

"Moving Files and Folders
When moving a file or a folder, permissions may get changed depending on the
destination folder permissions.

When moving a file to a folder within the same NTFS partition, the folder or
file will retains its original permissions..."

As I know, if
we want the subfolder inherite from the parent folder, we need to make the
parent folder's permission rules apply to "this folder, subfolders, files".
YES

Have you set it for the new target folder we move files into?
Click to expand...

Of course.

Waiting for your answer,

Roger
 
Hi Roger,

When moving a file from one folder to another folder with the same
partition, that file's original non-inherited permission rules remains. The
orginal inherited permission rules are cleared. And that file will also
inheriate all permission rules from the new folder if that rule is set to
"apply subfolder".

For example, I do the following test in my side. Both folder Test and Test2
are in D:\root. And they do not inherite permission rules from D:\

Test folder's ACL,
Type Name Permission Inherited From Apply To
Allow Everyone Full Control <not inherited> This folder,
subfolders and...


Test2 folder's ACL,
Type Name Permission Inherited From Apply To
Allow UserA Full Control <not inherited> This
folder, subfolders and...

There is a file test.txt in D:\Test. Its ACL,
Type Name Permission Inherited From
Allow UserB Full Control <not inherited>
Allow Everyone Full Control D:\Test\

When I move the test.txt file from D:\Test\ to D:\Test2. Its non-inherited
permission rule of UserB remains. But the inherited permission rule
inherite from D:\Test2 instead of D:\Test
Type Name Permission Inherited From
Allow UserB Full Control <not inherited>
Allow UserA Full Control D:\Test2\


That is to say, to achieve your objective, you only need to detect all
non-inherited rules and delete them.
Dim fi As New FileInfo("D:\Test2\test.txt")
Dim fs As New FileSecurity
Dim obTypeToGet As Type
fs = fi.GetAccessControl()
obTypeToGet = Type.GetType("System.Security.Principal.NTAccount")
For Each ace As FileSystemAccessRule In fs.GetAccessRules(True,
True, obTypeToGet)
If Not ace.IsInherited Then
fs.RemoveAccessRule(ace)
fi.SetAccessControl(fs)
End If
Next

Hope this clarifies and helps. Have a good day, Sir!


Best regards,
Colbert Zhou
Microsoft Online Support Team
 
Hello Zhou !

You said ...
When I move the test.txt file from D:\Test\ to D:\Test2. Its non-inherited
permission rule of UserB remains. But the inherited permission rule
inherite from D:\Test2 instead of D:\Test
Type Name Permission Inherited From
Allow UserB Full Control <not inherited>
Allow UserA Full Control D:\Test2\
Click to expand...

Yes, you're right ... That has been a shock to me ! Let me explain:

As this was not the results I saw on our server, Immediately after receiving
your message I tested it on my Vista PC, and I got the same results as you...
well, well, well I thought 8-D

Then, I re-tested it but on our Windows 2003 server, and the results were
different !

Type Name Permission Inherited From
------------------------------------------------------------------
Allow UserB Full Control <not inherited>
Allow Everyone Full Control "Parent object"

So, the behavior in Windows 2003 Server seems to be different for the
inherited permissions assigned to "Everyone" from the folder d:\Test:

The move operation not only preserves them, but also looses the reference
about "who is the parent" and instead of showing up a concrete folder, it
shows "Parent object"...

This is my problem as I said on the first post: I want to

1- remove the permissions if it is inherited from that unknown origin that
Windows calls "Parent object", preserving the other ones. This special
permission is detected as inherited, but I don't know how to check the
"from", you know...

2- Make the object inherit its permissions from the new parent.

Thanks again,

--
Roger Tranchez
MCTS
..NET 2008 and DB developer
 
Hi Roger,

I do some future test and find that if I delete that non-inherited
permission rule from the moved file, that file will automatically inherite
from the new parent folder like a refreshing process. So my current
resolution to your objective is removing all non-inherited permission rule
and re-add it immediately.

The following codes already work fine in my side,
Sub Main()
Dim fi As New FileInfo("C:\Test2\test.txt")
Dim fs As New FileSecurity
Dim obTypeToGet As Type
fs = fi.GetAccessControl()
obTypeToGet = Type.GetType("System.Security.Principal.NTAccount")
For Each ace As FileSystemAccessRule In fs.GetAccessRules(True,
True, obTypeToGet)
If Not ace.IsInherited Then
fs.RemoveAccessRule(ace)
fi.SetAccessControl(fs)
fs.AddAccessRule(ace)
fi.SetAccessControl(fs)
End If
Next
End Sub

Please have a test in your side and let me know if this resolves your
issue. Have a nice day!


Best regards,
Colbert Zhou
Microsoft Online Support Team
 
Hi Roger,

Does the code in my last reply address the issue in your side? If you have
any future questions or concerns, please let me know. Have a nice day!


Best regards,
Colbert Zhou
Microsoft Online Support Team
 
Back
Top