G
Guest
Hello.
I am writing some code that accepts a DFS Link and Username and grants that
User permissions to the physical directory that the DFS Link corresponds to.
I am using the System.Management namespace and WMI queries.
When I run the code below and check the Security tab of the folder , I find
that all entries have been cleared – which is ok and this is expected, main
problem is that the User that I have set up the Trustee and ACE object for,
has not been added. Interestingly (just before I set the permissions) I
retrieve the first ACE in the access list and then add it back into the
DACL[] property of the SecurityDescriptor object. In the code below, this
where I add ‘firstAce’ to the DACL property instead of ‘Ace’. When I check
the folder, the entry is added to the list.
I can probably assume that the code that actually sets the permissions does
work. What must be going wrong is either the way I have configured the
Trustee or the ACE object. The user to which we need to set permissions for
can be identified by the SID. I recover the SIDString using a WMI query,
passing in the Username and Domain, and then convert the resultant string
value into a byte array (SID needs to be in this format). I do this
conversion using the ASCIIEncoding class of System.Text, perhaps this is
where things are going wrong. Is there a more effective way of converting
from String to Byte Array?
Any thoughts on where there could be issues ?
Thanks,
Praveen.
Here is the code below:
//***TRUSTEE***
//Create Trustee management object (Win32_Trustee) setting the SID
(converted to byte array) and Username
ManagementObject Trustee = new ManagementClass(new
ManagementPath("Win32_Trustee"),null).CreateInstance();
Trustee["SID"] = bSID; //SID as a byte array
//***ACE***
//Create ACE management object (Win32_ACE) setting the AccessMask, AceFlags,
AceType and Trustee (to Trustee object)
ManagementObject Ace = new ManagementClass(new
ManagementPath("Win32_ACE"),null).CreateInstance();
Ace["AccessMask"] = "2032127";
Ace["AceFlags"] = "3";
Ace["AceType"] = 0;
Ace["Trustee"] = Trustee;
//***SecurityDescriptor***
//Retrieve the Security Descriptor passing in the path to the physical
directory
string dirClassPath1 = @"Win32_LogicalFileSecuritySetting='" + strDFSLink +
"'";
ManagementObject Win32LogicalFileSecuritySetting = new ManagementObject(new
ManagementPath(dirClassPath1),null);
ManagementBaseObject outParams1 =
Win32LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",null,
null);
ManagementBaseObject SecurityDescriptor1 = (ManagementBaseObject)
outParams1["Descriptor"];
//Get the first ACE in the existing DACL for this folder
ManagementBaseObject firstAce = ((ManagementBaseObject[])
SecurityDescriptor1["DACL"])[0];
//Set parameters for Security Descriptor
SecurityDescriptor1["ControlFlags"] = "4";
SecurityDescriptor1["DACL"] = new object[1]{Ace};
//ALTERNATIVELY SET TO THE FIRST ENTRY IN THE EXISTING DACL
//SecurityDescriptor1["DACL"] = new object[1]{firstAce};
//***Set Permissions
string dirClassPath2 = @"Win32_Directory='" + strDFSLink + "'";
ManagementObject Win32Directory = new ManagementObject(new
ManagementPath(dirClassPath2),null);
ManagementBaseObject inParams2 =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");
inParams2["Option"] = "4";
inParams2["SecurityDescriptor"] = SecurityDescriptor1;
ManagementBaseObject outParams2 =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams2, null);
I am writing some code that accepts a DFS Link and Username and grants that
User permissions to the physical directory that the DFS Link corresponds to.
I am using the System.Management namespace and WMI queries.
When I run the code below and check the Security tab of the folder , I find
that all entries have been cleared – which is ok and this is expected, main
problem is that the User that I have set up the Trustee and ACE object for,
has not been added. Interestingly (just before I set the permissions) I
retrieve the first ACE in the access list and then add it back into the
DACL[] property of the SecurityDescriptor object. In the code below, this
where I add ‘firstAce’ to the DACL property instead of ‘Ace’. When I check
the folder, the entry is added to the list.
I can probably assume that the code that actually sets the permissions does
work. What must be going wrong is either the way I have configured the
Trustee or the ACE object. The user to which we need to set permissions for
can be identified by the SID. I recover the SIDString using a WMI query,
passing in the Username and Domain, and then convert the resultant string
value into a byte array (SID needs to be in this format). I do this
conversion using the ASCIIEncoding class of System.Text, perhaps this is
where things are going wrong. Is there a more effective way of converting
from String to Byte Array?
Any thoughts on where there could be issues ?
Thanks,
Praveen.
Here is the code below:
//***TRUSTEE***
//Create Trustee management object (Win32_Trustee) setting the SID
(converted to byte array) and Username
ManagementObject Trustee = new ManagementClass(new
ManagementPath("Win32_Trustee"),null).CreateInstance();
Trustee["SID"] = bSID; //SID as a byte array
//***ACE***
//Create ACE management object (Win32_ACE) setting the AccessMask, AceFlags,
AceType and Trustee (to Trustee object)
ManagementObject Ace = new ManagementClass(new
ManagementPath("Win32_ACE"),null).CreateInstance();
Ace["AccessMask"] = "2032127";
Ace["AceFlags"] = "3";
Ace["AceType"] = 0;
Ace["Trustee"] = Trustee;
//***SecurityDescriptor***
//Retrieve the Security Descriptor passing in the path to the physical
directory
string dirClassPath1 = @"Win32_LogicalFileSecuritySetting='" + strDFSLink +
"'";
ManagementObject Win32LogicalFileSecuritySetting = new ManagementObject(new
ManagementPath(dirClassPath1),null);
ManagementBaseObject outParams1 =
Win32LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",null,
null);
ManagementBaseObject SecurityDescriptor1 = (ManagementBaseObject)
outParams1["Descriptor"];
//Get the first ACE in the existing DACL for this folder
ManagementBaseObject firstAce = ((ManagementBaseObject[])
SecurityDescriptor1["DACL"])[0];
//Set parameters for Security Descriptor
SecurityDescriptor1["ControlFlags"] = "4";
SecurityDescriptor1["DACL"] = new object[1]{Ace};
//ALTERNATIVELY SET TO THE FIRST ENTRY IN THE EXISTING DACL
//SecurityDescriptor1["DACL"] = new object[1]{firstAce};
//***Set Permissions
string dirClassPath2 = @"Win32_Directory='" + strDFSLink + "'";
ManagementObject Win32Directory = new ManagementObject(new
ManagementPath(dirClassPath2),null);
ManagementBaseObject inParams2 =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");
inParams2["Option"] = "4";
inParams2["SecurityDescriptor"] = SecurityDescriptor1;
ManagementBaseObject outParams2 =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams2, null);