CODEWITHSUNDEEP
c#permissionsntfs
always v
always v

Reputation: 275

read permission denied using NTFS when I denied write permission

Using the below code I denied write permission for a user, even when I checked security tab only write permission is denied, but I'm not able to access the folder for reading.

ADsSecurity objADsSec;
SecurityDescriptor objSecDes;
AccessControlList objDAcl;
AccessControlEntry objAce1;
AccessControlEntry objAce2;
Object objSIdHex;
ADsSID objSId;

objADsSec = new ADsSecurityClass();
objSecDes = (SecurityDescriptor)(objADsSec.GetSecurityDescriptor("FILE://" + vPath));
objDAcl = (AccessControlList)objSecDes.DiscretionaryAcl;

objSId = new ADsSIDClass();
objSId.SetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SAM, UserName.ToString());
objSIdHex = objSId.GetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SDDL);



objAce2 = new AccessControlEntryClass();
objAce2.Trustee = (objSIdHex).ToString();
objAce2.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_WRITE;
objAce2.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED;
objAce2.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | 1;
objDAcl.AddAce(objAce2);

objSecDes.DiscretionaryAcl = objDAcl;

// Set permissions on the NTFS file system folder.
objADsSec.SetSecurityDescriptor(objSecDes, "FILE://" + vPath);

Upvotes: 1

Views: 379

Answers (1)

sehe
sehe

Reputation: 392833

You're not showing objAce1

You need to order Deny ACE entries before Grant ACE entries.

Try swapping the order of entries in the ACL.

Thus, the DACL's list of ACEs should be appropriately ordered. The standard (canonical) ordering is to first place explicit denies, then explicit allows, general (group) denies, and group allows. If the canonical ordering isn't used, unanticipated allows or denies may occur

From Understanding Windows File And Registry Permissions

Upvotes: 1

Related Questions