programmatically change permissions on folder in windows?

[brandon]

programmatically change permissions on folder in windows

Windows 2000 File server SP4:

Here is what we are doing:

If I go to folder> security> add <security group>
Then folder> security> Advanced> Permissions> Replace permission entries on
all child
objects we get this dialog box

---------------------------
Security
---------------------------
This will remove explicitly defined permissions on all child objects and
enable propagation
of inheritable permissions to those child objects. Only inheritable
permissions propagated
from "FOLDER" will take effect.

Do you wish to continue?
---------------------------
Yes No
---------------------------
Here is our Question:

Is there any way to programmatically add a group to a folder structure and
all child
objects without removing the values and permissions that already exist on
the folder
structure and child objects? We do not want to remove the permissions that
were explicitly
defined, we simply want to add a group to the existing permissions.

 

[Laura E. Hunter \(MVP\)]

Use xcacls.exe with the /e switch. This will edit the current ACL instead
of replacing it.

http://support.microsoft.com/default.aspx?kbid=318754

 

[Roger Abell]

Two thread of response here.

First, if you simply add the new ACE and leave the
setting to apply to This folder, subfolders, and files
as seen in the Adv / Edit drill-in, then the new ACE
will inherit down without changing any of the settings
on objects in the substructure other than adding this
new ACE. However, if inheritance is blocked at some
point in the substructure, then this new ACE will not
be inherited onto that point and its substructure.

That is a reasonable behavior, as it makes the assumption
that where inheritance is blocked, it was the intent to have
inheritance blocked. Sort of a doh, say what ?
The only way around this is to locate each new inheritance
point in the substructure and add the ACE if this is what is
intended as the result.

Now, the other thread. This can be done with such as cacls (or
xcacls) or by use of script with the security provider of WMI.
However, even with these, one needs to locate each inheritance
point and add the ACE to them if the intent is to have the new
ACE on the entire substructure when that substructure contains
areas with inheritance blocked that should remain so.