 |
trojanz
Level: Protégé
Registered: 04-02-2006
Posts: 8
|
Programmatically set NTFS folder permissions.
Kudos to y'all! I've been searching on the web for the above mentioned subject but couldn't find any. I was hoping that somebody could help me...
____________________________
I would if I could but I can't so I won't.
|
|
05-02-2006 at 07:48 AM |
|
|
Goran
Level: Moderator
Registered: 16-05-2002
Posts: 1681
|
Re: Programmatically set NTFS folder permissions.
Slightly modified SetAccess function from the above link.
Public Sub RemoveAccess(sUserName As String, sFileName As String)
Dim lResult As Long ' Result of various API calls.
Dim I As Integer ' Used in looping.
Dim bUserSid(255) As Byte ' This will contain your SID.
Dim bTempSid(255) As Byte ' This will contain the Sid of each ACE in the ACL .
Dim sSystemName As String ' Name of this computer system.
Dim lSystemNameLength As Long ' Length of string that contains
' the name of this system.
Dim lLengthUserName As Long ' Max length of user name.
'Dim sUserName As String * 255 ' String to hold the current user
' name.
Dim lUserSID As Long ' Used to hold the SID of the
' current user.
Dim lTempSid As Long ' Used to hold the SID of each ACE in the ACL
Dim lUserSIDSize As Long ' Size of the SID.
Dim sDomainName As String * 255 ' Domain the user belongs to.
Dim lDomainNameLength As Long ' Length of domain name needed.
Dim lSIDType As Long ' The type of SID info we are
' getting back.
Dim sFileSD As SECURITY_DESCRIPTOR ' SD of the file we want.
Dim bSDBuf() As Byte ' Buffer that holds the security
' descriptor for this file.
Dim lFileSDSize As Long ' Size of the File SD.
Dim lSizeNeeded As Long ' Size needed for SD for file.
Dim sNewSD As SECURITY_DESCRIPTOR ' New security descriptor.
Dim sACL As ACL ' Used in grabbing the DACL from
' the File SD.
Dim lDaclPresent As Long ' Used in grabbing the DACL from
' the File SD.
Dim lDaclDefaulted As Long ' Used in grabbing the DACL from
' the File SD.
Dim sACLInfo As ACL_SIZE_INFORMATION ' Used in grabbing the ACL
' from the File SD.
Dim lACLSize As Long ' Size of the ACL structure used
' to get the ACL from the File SD.
Dim pAcl As Long ' Current ACL for this file.
Dim lNewACLSize As Long ' Size of new ACL to create.
Dim bNewACL() As Byte ' Buffer to hold new ACL.
Dim sCurrentACE As ACCESS_ALLOWED_ACE ' Current ACE.
Dim pCurrentAce As Long ' Our current ACE.
Dim nRecordNumber As Long
' Get the SID of the user. (Refer to the MSDN for more information on SIDs
' and their function/purpose in the operating system.) Get the SID of this
' user by using the LookupAccountName API. In order to use the SID
' of the current user account, call the LookupAccountName API
' twice. The first time is to get the required sizes of the SID
' and the DomainName string. The second call is to actually get
' the desired information.
lResult = LookupAccountName(vbNullString, sUserName, _
bUserSid(0), 255, sDomainName, lDomainNameLength, _
lSIDType)
' Now set the sDomainName string buffer to its proper size before
' calling the API again.
sDomainName = Space(lDomainNameLength)
' Call the LookupAccountName again to get the actual SID for user.
lResult = LookupAccountName(vbNullString, sUserName, _
bUserSid(0), 255, sDomainName, lDomainNameLength, _
lSIDType)
' Return value of zero means the call to LookupAccountName failed;
' test for this before you continue.
If (lResult = 0) Then
MsgBox "Error: Unable to Lookup the Current User Account: " _
& sUserName
Exit Sub
End If
' You now have the SID for the user who is logged on.
' The SID is of interest since it will get the security descriptor
' for the file that the user is interested in.
' The GetFileSecurity API will retrieve the Security Descriptor
' for the file. However, you must call this API twice: once to get
' the proper size for the Security Descriptor and once to get the
' actual Security Descriptor information.
lResult = GetFileSecurityN(sFileName, DACL_SECURITY_INFORMATION, _
0, 0, lSizeNeeded)
' Redimension the Security Descriptor buffer to the proper size.
ReDim bSDBuf(lSizeNeeded)
' Now get the actual Security Descriptor for the file.
lResult = GetFileSecurity(sFileName, DACL_SECURITY_INFORMATION, _
bSDBuf(0), lSizeNeeded, lSizeNeeded)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get the File Security Descriptor"
Exit Sub
End If
' Call InitializeSecurityDescriptor to build a new SD for the
' file.
lResult = InitializeSecurityDescriptor(sNewSD, _
SECURITY_DESCRIPTOR_REVISION)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Initialize New Security Descriptor"
Exit Sub
End If
' You now have the file's SD and a new Security Descriptor
' that will replace the current one. Next, pull the DACL from
' the SD. To do so, call the GetSecurityDescriptorDacl API
' function.
lResult = GetSecurityDescriptorDacl(bSDBuf(0), lDaclPresent, _
pAcl, lDaclDefaulted)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get DACL from File Security " _
& "Descriptor"
Exit Sub
End If
' You have the file's SD, and want to now pull the ACL from the
' SD. To do so, call the GetACLInformation API function.
' See if ACL exists for this file before getting the ACL
' information.
If (lDaclPresent = False) Then
MsgBox "Error: No ACL Information Available for this File"
Exit Sub
End If
' Attempt to get the ACL from the file's Security Descriptor.
lResult = GetAclInformation(pAcl, sACLInfo, Len(sACLInfo), 2&)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get ACL from File Security Descriptor"
Exit Sub
End If
' Now that you have the ACL information, compute the new ACL size
' requirements.
lNewACLSize = sACLInfo.AclBytesInUse
' Resize our new ACL buffer to its proper size.
ReDim bNewACL(lNewACLSize)
' Use the InitializeAcl API function call to initialize the new
' ACL.
lResult = InitializeAcl(bNewACL(0), lNewACLSize, ACL_REVISION)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Initialize New ACL"
Exit Sub
End If
' If a DACL is present, copy it to a new DACL.
If (lDaclPresent) Then
' Copy the ACEs from the file to the new ACL.
If (sACLInfo.AceCount > 0) Then
' Grab each ACE and stuff them into the new ACL.
nRecordNumber = 0
For I = 0 To (sACLInfo.AceCount - 1)
' Attempt to grab the next ACE.
lResult = GetAce(pAcl, I, pCurrentAce)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Obtain ACE (" & I & ")"
Exit Sub
End If
' You have a pointer to the ACE. Place it
' into a structure, so you can get at its size.
CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
'Skip adding the ACE to the ACL if this is same usersid
lTempSid = pCurrentAce + 8
If EqualSid(bUserSid(0), lTempSid) = 0 Then
' Now that you have the ACE, add it to the new ACL.
lResult = AddAce(VarPtr(bNewACL(0)), ACL_REVISION, _
MAXDWORD, pCurrentAce, _
sCurrentACE.Header.AceSize)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Add ACE to New ACL"
Exit Sub
End If
nRecordNumber = nRecordNumber + 1
End If
Next I
' Set the file's Security Descriptor to the new DACL.
lResult = SetSecurityDescriptorDacl(sNewSD, 1, _
bNewACL(0), 0)
' Make sure you set the SD to the new DACL.
If (lResult = 0) Then
MsgBox "Error: " & _
"Unable to Set New DACL to Security Descriptor"
Exit Sub
End If
' The final step is to add the Security Descriptor back to
' the file!
lResult = SetFileSecurity(sFileName, _
DACL_SECURITY_INFORMATION, sNewSD)
' Make sure you added the Security Descriptor to the file!
If (lResult = 0) Then
MsgBox "Error: Unable to Set New Security Descriptor " _
& " to File : " & sFileName
MsgBox Err.LastDllError
Else
MsgBox "Updated Security Descriptor on File: " _
& sFileName
End If
End If
End If
End Sub |
____________________________
If you find the answer helpful, please mark this topic as solved.
|
|
07-02-2006 at 12:15 AM |
|
|
trojanz
Level: Protégé
Registered: 04-02-2006
Posts: 8
|
Re: Programmatically set NTFS folder permissions.
Would this work if let's say I would change folder permissions on a different domain? For example, if folder A is on domain A, and I'm on domain B and I wan't to change the permissions of folder A to full access to me, would that be possible? I'm making a Document Archiving software which would enable certain departments to scan and save documents in a folder which is located on a different domain. I've created a main folder (namely DocumentArchive) which is dedicated for the software I'm developing. This main folder is shared by the way. And inside the main folder are folders each named after the available departments here in the company. Now the reason I want this folder permission thingy is let's say that we, the Administrators would have to add a new folder for a new department or group, we'll just specify the usernames on my application rather than going through the remote machine where the main folder is and set folder permissions there. I hope this makes it clear.
____________________________
I would if I could but I can't so I won't.
|
|
07-02-2006 at 08:28 AM |
|
|
daBoozman
Level: Trainee
Registered: 02-06-2006
Posts: 1
|
Re: Programmatically set NTFS folder permissions.
This all works great, glad I found this posting.
I have a situation where I have to repermission an entire server. Most folders will have many groups with different access needs.
Is there a way to build a single access structure with all the different perms included then assign that one structure to the file/folders instead of having to loop through many cycles of adding users/groups one at a time?
Or possibly would you loop through the BuildExplicitAccessWithName and ret = SetEntriesInAcl pieces for each user/group then just run the ret = SetNamedSecurityInfo once?
|
|
02-06-2006 at 05:54 PM |
|
|
Tim_Myth
Level: Trainee
Registered: 30-10-2008
Posts: 1
|
Re: Programmatically set NTFS folder permissions.
This sounds a lot like what I need to do, but everything I've read seems to indicate that I can only set permissions for specific users. I want to give full control to ALL users.
My situtation is this: I administer a network of about 1500 PCs. I have about ~3000 users that can be sitting at anyone of the PCs. I do not know all of their user IDs. I can manually browse to each PC on the network using Windows Explorer, right click on the folder for which Full Control needs to be granted, Click on "security" tab, Scroll down to "Users (W......)", Highlight "Users (W......)", Check box for full control, then Click Apply and then Okay.
I'm lazy and don't want to have do this manual operation for all 1500 PCs. Besides, even if it only takes 20 seconds per PC, I'm still looking at 2 days of mind-numbingly tedious work. I'd like to script a solution to automate this entire process. Will a variation of this code allow me to accomplish my goal?
|
|
30-10-2008 at 02:09 PM |
|
|
|
|
 |
|
my skull trying to figure out how to implement it properly. But now, I've encountered something from using this code and myabe you can help me figure it out. It seems taht with this code, you can keep adding users with their specified permissions. But I can't delete them programmatically! I can keep adding but I can't remove them. Can you please help me with this one?
I believe you should be able to, altough I never tried it.. LookopAccountName will work on the domain, but for the rest of it, try it yourself... At the beginning of MS article, you see what rights you need to have in order to execute those API's.
