API to change "Allow inheritable permissions...

[Tim Bedford]

Hi,
Windows 2000: Under the Security tab in the right-click, file/dir properties
dialog thing there's a checkbox to "Allow inheritable permissions from
parent to propagate to this object".

How do you do this programmatically? I've tried using the flags in the
AddAccessAllowedAceEx call on the object in question and its parent object
but can't get it to work.

Sorry if this questions been asked a thousand times already.
thanks for any help,

Tim

 

[Nick Finco [MSFT]]

Use GetNamedSecurityInfo to grab the DACL or SACL of the object. Then use
GetAce to retrieve each ACE until you find the one you are trying to modify.
Once you have found the ACE, type-cast it to a ACE_HEADER (you most likely
already did this to determine the ACE type). Then modify the AceFlags field
to include the correct flag. Pass the security descriptor you retrieved
into SetNamedSecurityInfo to set the modified ACL onto the object.

You could also pass the security descriptor returned from
GetNamedSecurityInfo into ConvertSecurityDescriptorToSecurityDescriptor,
modify the SDDL string to reflect the new flags, convert the string back
into a security descriptor
(ConvertSecurityDescriptorToStringSecurityDescriptor), and use
SetNamedSecurityInfo like above.

N

 

[Tim Bedford]

Have done what you suggested (in first paragraph). But I find that when I
change the the flags to 0, Windows 2000 then automatically adds a new
inheritted ACE. I can get round the effects of this by adding, say, an
Administrator allowed ACE, followed by an Everyone denied ACE. The
inheritted ACE (Everyone allowed) is then tagged on the end but is
ineffective. This works but it goes against ACE ordering guidelines and
explorer's not happy when you want to examine it.
any help appreciated,

Tim

 

[Nick Finco [MSFT]]

Ok, I see what you are trying to do. You don't want this ACL to inherit any
ACEs from the parent, aka. a Protected ACL. When you have the security
descriptor in memory, add the SE_DACL_PROTECTED flag to its Control field.
Then go ahead and set it using SetNamedSecurityInfo.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included code samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Nick Finco [MSFT]]

I can't remember the issue off the top of my head but I have had that same
error before when the revision number was set properly. If I remember what
was wrong, I'll post the fix.

One odd thing that happens is that marta splits inherit ACEs up. You'll get
two ACEs. One only specifying the inheritance aspect of the ACE and another
specifying permissions for the current object. You may be seeing that.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included code samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Tim Bedford]

Peachy! Should have explained myself better (and RTFM). Thought I knew
SetSecurityInfo from days of old, didn't count on Win2000 update. Thanks
very much Nick, I'll keep checking in case you remember what the
ConvertToString problem is.

Tim

 

[Nick Finco [MSFT]]

I'm glad to hear that worked for you. I haven't remembered the Convert
issue which means I most likely won't. I'd have to look at your code to
get an idea of what's going on. It's probably an issue with the binary SD
you have created. Since you got your other code working though it's not a
big deal. Good luck with the program.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any included code samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm