Seting ntfs persmission of a remote folder with wmi from a web app

A

Amit Desai

Guys. I need to set the file permissions of a folder on a remote fileserver
for a user I have just created using the web app I am writing.
I have the users account name and SID, the name of the file server and the
physical path to the parent folder.

This is what I have so far.. but cant get it to work.. I get various
exceptions with the wmi calls.. Can someone look it over and point out the
obvious mistakes? Also.. I am not sure about my process of converting the
users sid into a byte array to assign to the trustee. I have the SID in the
form of a string and also a Int_Ptr

//Create Trustee (user identifier)

ManagementScope managementscope = new ManagementScope(@"\\" + serverName +
@"\root\cimv2",connOp);

ManagementPath managementpath = new ManagementPath("Win32_Process");

ManagementClass mangagementclass = new
ManagementClass(managementscope,managementpath,null);


//Create Trustee (user identifier)

ManagementObject Trustee = new ManagementClass(managementscope,new
ManagementPath("Win32_Trustee"),null).CreateInstance();

//Set SID of trustee to new users sid

byte [] SID = null;

int SidLen = ((int)user.SID.ToSIDPtr()) / (int)Math.Pow(2,8);

SID = new byte[SidLen];

Marshal.Copy(user.SID.ToSIDPtr(),SID,0,SidLen);

Trustee["SID"] = SID;

Trustee["Name"] = user.AccountName;

//Set ACE for user

ManagementObject Ace = new ManagementClass(managementscope,new
ManagementPath("Win32_ACE"),null).CreateInstance();

//Set Permissions

//AccessMasks : Full Control = 2032127, Change = 1245631, Read = 1179785

Ace["AccessMask"] = "1245631";

//Set Ace flags : Bit flags that specify inheritance of the ACE

Ace["AceFlags"] = "3";

//Set AceType : Allowed = 0, Denied = 1, Audit = 2

Ace["AceType"] = 0;

//Set Trustee to apply ACEs to

Ace["Trustee"] = Trustee;

//Create Security Descriptor to assign to the folder

ManagementObject SecurityDescriptor = new
ManagementClass(managementscope,new
ManagementPath("Win32_SecurityDescriptor"),null).CreateInstance();

//Set Control Flag : SE_DACL_PRESENT indicates a security descriptor
containing a DACL.

SecurityDescriptor["ControlFlags"] = "4";

//Set DACL : Array of ACEs

SecurityDescriptor["DACL"] = new object[1]{Ace};

//Assign the security descriptor to the directory

string dirClassPath = @"Win32_Directory='" + physicalpath + user.AccountName
+ "'";

ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);

//Get Input params

ManagementBaseObject inParams =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");

//Set Options : 4 = CHANGE_DACL_SECURITY_INFORMATION : Change the
discretionary access control list (DACL) of the logical file.

inParams["Option"] = "4";

inParams["SecurityDescriptor"] = SecurityDescriptor;

ManagementBaseObject outParams =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams, null);

uint errorcode = (uint)outParams["returnValue"];



Thanks Amit
 
A

Amit Desai

Amit Desai said:
Guys. I need to set the file permissions of a folder on a remote
fileserver for a user I have just created using the web app I am writing.
I have the users account name and SID, the name of the file server and
the physical path to the parent folder.

This is what I have so far.. but cant get it to work.. I get various
exceptions with the wmi calls.. Can someone look it over and point out
the obvious mistakes? Also.. I am not sure about my process of converting
the users sid into a byte array to assign to the trustee. I have the SID
in the form of a string and also a Int_Ptr

//Create Trustee (user identifier)

ManagementScope managementscope = new ManagementScope(@"\\" + serverName +
@"\root\cimv2",connOp);

ManagementPath managementpath = new ManagementPath("Win32_Process");

ManagementClass mangagementclass = new
ManagementClass(managementscope,managementpath,null);


//Create Trustee (user identifier)

ManagementObject Trustee = new ManagementClass(managementscope,new
ManagementPath("Win32_Trustee"),null).CreateInstance();

//Set SID of trustee to new users sid

byte [] SID = null;

int SidLen = ((int)user.SID.ToSIDPtr()) / (int)Math.Pow(2,8);

SID = new byte[SidLen];

Marshal.Copy(user.SID.ToSIDPtr(),SID,0,SidLen);

Trustee["SID"] = SID;

Trustee["Name"] = user.AccountName;

//Set ACE for user

ManagementObject Ace = new ManagementClass(managementscope,new
ManagementPath("Win32_ACE"),null).CreateInstance();

//Set Permissions

//AccessMasks : Full Control = 2032127, Change = 1245631, Read = 1179785

Ace["AccessMask"] = "1245631";

//Set Ace flags : Bit flags that specify inheritance of the ACE

Ace["AceFlags"] = "3";

//Set AceType : Allowed = 0, Denied = 1, Audit = 2

Ace["AceType"] = 0;

//Set Trustee to apply ACEs to

Ace["Trustee"] = Trustee;

//Create Security Descriptor to assign to the folder

ManagementObject SecurityDescriptor = new
ManagementClass(managementscope,new
ManagementPath("Win32_SecurityDescriptor"),null).CreateInstance();

//Set Control Flag : SE_DACL_PRESENT indicates a security descriptor
containing a DACL.

SecurityDescriptor["ControlFlags"] = "4";

//Set DACL : Array of ACEs

SecurityDescriptor["DACL"] = new object[1]{Ace};

//Assign the security descriptor to the directory

string dirClassPath = @"Win32_Directory='" + physicalpath +
user.AccountName + "'";

ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);

//Get Input params

ManagementBaseObject inParams =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");

//Set Options : 4 = CHANGE_DACL_SECURITY_INFORMATION : Change the
discretionary access control list (DACL) of the logical file.

inParams["Option"] = "4";

inParams["SecurityDescriptor"] = SecurityDescriptor;

ManagementBaseObject outParams =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams, null);

uint errorcode = (uint)outParams["returnValue"];



Thanks Amit
Click to expand...

Might help if I mention the problem I am having.

when executing this line
ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);
I get the this exception
+ [System.ArgumentOutOfRangeException] {"Specified argument was out of the
range of valid values.\r\nParameter name: path" }
System.ArgumentOutOfRangeException

StackTrace " at
System.Management.ManagementObject.ManagementObjectCTOR(ManagementScope
scope, ManagementPath path, ObjectGetOptions options)\r\n

Amit
 
W

Willy Denoyette [MVP]

Amit Desai said:
Amit Desai said:
Guys. I need to set the file permissions of a folder on a remote
fileserver for a user I have just created using the web app I am writing.
I have the users account name and SID, the name of the file server and
the physical path to the parent folder.

This is what I have so far.. but cant get it to work.. I get various
exceptions with the wmi calls.. Can someone look it over and point out
the obvious mistakes? Also.. I am not sure about my process of converting
the users sid into a byte array to assign to the trustee. I have the SID
in the form of a string and also a Int_Ptr

//Create Trustee (user identifier)

ManagementScope managementscope = new ManagementScope(@"\\" + serverName
+ @"\root\cimv2",connOp);

ManagementPath managementpath = new ManagementPath("Win32_Process");

ManagementClass mangagementclass = new
ManagementClass(managementscope,managementpath,null);


//Create Trustee (user identifier)

ManagementObject Trustee = new ManagementClass(managementscope,new
ManagementPath("Win32_Trustee"),null).CreateInstance();

//Set SID of trustee to new users sid

byte [] SID = null;

int SidLen = ((int)user.SID.ToSIDPtr()) / (int)Math.Pow(2,8);

SID = new byte[SidLen];

Marshal.Copy(user.SID.ToSIDPtr(),SID,0,SidLen);

Trustee["SID"] = SID;

Trustee["Name"] = user.AccountName;

//Set ACE for user

ManagementObject Ace = new ManagementClass(managementscope,new
ManagementPath("Win32_ACE"),null).CreateInstance();

//Set Permissions

//AccessMasks : Full Control = 2032127, Change = 1245631, Read = 1179785

Ace["AccessMask"] = "1245631";

//Set Ace flags : Bit flags that specify inheritance of the ACE

Ace["AceFlags"] = "3";

//Set AceType : Allowed = 0, Denied = 1, Audit = 2

Ace["AceType"] = 0;

//Set Trustee to apply ACEs to

Ace["Trustee"] = Trustee;

//Create Security Descriptor to assign to the folder

ManagementObject SecurityDescriptor = new
ManagementClass(managementscope,new
ManagementPath("Win32_SecurityDescriptor"),null).CreateInstance();

//Set Control Flag : SE_DACL_PRESENT indicates a security descriptor
containing a DACL.

SecurityDescriptor["ControlFlags"] = "4";

//Set DACL : Array of ACEs

SecurityDescriptor["DACL"] = new object[1]{Ace};

//Assign the security descriptor to the directory

string dirClassPath = @"Win32_Directory='" + physicalpath +
user.AccountName + "'";

ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);

//Get Input params

ManagementBaseObject inParams =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");

//Set Options : 4 = CHANGE_DACL_SECURITY_INFORMATION : Change the
discretionary access control list (DACL) of the logical file.

inParams["Option"] = "4";

inParams["SecurityDescriptor"] = SecurityDescriptor;

ManagementBaseObject outParams =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams, null);

uint errorcode = (uint)outParams["returnValue"];



Thanks Amit
Click to expand...

Might help if I mention the problem I am having.

when executing this line
ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);
I get the this exception
+ [System.ArgumentOutOfRangeException] {"Specified argument was out of the
range of valid values.\r\nParameter name: path" }
System.ArgumentOutOfRangeException

StackTrace " at
System.Management.ManagementObject.ManagementObjectCTOR(ManagementScope
scope, ManagementPath path, ObjectGetOptions options)\r\n

Amit
Click to expand...

Guess something is wrong with your "physicalpath".

Willy.
 
A

Amit Desai

Thanks for looking Willy

I have checked that.. it is 100% correct.

The value of dirClassPath is @"Win32_Directory='c:\users\tuser'" which is
correct

Does the rest of the code look ok to you?

Amit

Willy Denoyette said:
Amit Desai said:
Amit Desai said:
Guys. I need to set the file permissions of a folder on a remote
fileserver for a user I have just created using the web app I am
writing.
I have the users account name and SID, the name of the file server and
the physical path to the parent folder.

This is what I have so far.. but cant get it to work.. I get various
exceptions with the wmi calls.. Can someone look it over and point out
the obvious mistakes? Also.. I am not sure about my process of
converting the users sid into a byte array to assign to the trustee. I
have the SID in the form of a string and also a Int_Ptr

//Create Trustee (user identifier)

ManagementScope managementscope = new ManagementScope(@"\\" + serverName
+ @"\root\cimv2",connOp);

ManagementPath managementpath = new ManagementPath("Win32_Process");

ManagementClass mangagementclass = new
ManagementClass(managementscope,managementpath,null);


//Create Trustee (user identifier)

ManagementObject Trustee = new ManagementClass(managementscope,new
ManagementPath("Win32_Trustee"),null).CreateInstance();

//Set SID of trustee to new users sid

byte [] SID = null;

int SidLen = ((int)user.SID.ToSIDPtr()) / (int)Math.Pow(2,8);

SID = new byte[SidLen];

Marshal.Copy(user.SID.ToSIDPtr(),SID,0,SidLen);

Trustee["SID"] = SID;

Trustee["Name"] = user.AccountName;

//Set ACE for user

ManagementObject Ace = new ManagementClass(managementscope,new
ManagementPath("Win32_ACE"),null).CreateInstance();

//Set Permissions

//AccessMasks : Full Control = 2032127, Change = 1245631, Read = 1179785

Ace["AccessMask"] = "1245631";

//Set Ace flags : Bit flags that specify inheritance of the ACE

Ace["AceFlags"] = "3";

//Set AceType : Allowed = 0, Denied = 1, Audit = 2

Ace["AceType"] = 0;

//Set Trustee to apply ACEs to

Ace["Trustee"] = Trustee;

//Create Security Descriptor to assign to the folder

ManagementObject SecurityDescriptor = new
ManagementClass(managementscope,new
ManagementPath("Win32_SecurityDescriptor"),null).CreateInstance();

//Set Control Flag : SE_DACL_PRESENT indicates a security descriptor
containing a DACL.

SecurityDescriptor["ControlFlags"] = "4";

//Set DACL : Array of ACEs

SecurityDescriptor["DACL"] = new object[1]{Ace};

//Assign the security descriptor to the directory

string dirClassPath = @"Win32_Directory='" + physicalpath +
user.AccountName + "'";

ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);

//Get Input params

ManagementBaseObject inParams =
Win32Directory.GetMethodParameters("ChangeSecurityPermissions");

//Set Options : 4 = CHANGE_DACL_SECURITY_INFORMATION : Change the
discretionary access control list (DACL) of the logical file.

inParams["Option"] = "4";

inParams["SecurityDescriptor"] = SecurityDescriptor;

ManagementBaseObject outParams =
Win32Directory.InvokeMethod("ChangeSecurityPermissions", inParams,
null);

uint errorcode = (uint)outParams["returnValue"];



Thanks Amit
Click to expand...

Might help if I mention the problem I am having.

when executing this line
ManagementClass Win32Directory = new ManagementClass(managementscope,new
ManagementPath(dirClassPath),null);
I get the this exception
+ [System.ArgumentOutOfRangeException] {"Specified argument was out of
the range of valid values.\r\nParameter name: path" }
System.ArgumentOutOfRangeException

StackTrace " at
System.Management.ManagementObject.ManagementObjectCTOR(ManagementScope
scope, ManagementPath path, ObjectGetOptions options)\r\n

Amit
Click to expand...

Guess something is wrong with your "physicalpath".

Willy.
Click to expand...
 
W

Willy Denoyette [MVP]

Amit Desai said:
Thanks for looking Willy

I have checked that.. it is 100% correct.

The value of dirClassPath is @"Win32_Directory='c:\users\tuser'" which is
correct

Does the rest of the code look ok to you?

Amit
Click to expand...

No it doesn't. What you need is an object instance not a class.


ManagementPath path = new
ManagementPath(@"Win32_Directory.Name='c:\users\tuser'");
ManagementObject Win32Directory = new
ManagementObject(managementscope, path, null);
// get the instance of the directory
Win32Directory.Get();
....


Willy.
 
A

Amit Desai

Excellent thanks willy that works a treat

I can now set permissions to a folder.

Only problems now is.. when I set the DACL, it wipes the previous inherited
DACL.

How do I set the permissions so it keeps the inherited dacls and adds change
access for the new user to the homefolder?

Amit
 
W

Willy Denoyette [MVP]

Amit Desai said:
Excellent thanks willy that works a treat

I can now set permissions to a folder.

Only problems now is.. when I set the DACL, it wipes the previous
inherited DACL.

How do I set the permissions so it keeps the inherited dacls and adds
change access for the new user to the homefolder?

Amit
Click to expand...

You need to copy the 'old' DACL and add an ACE to it.

Willy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem setting DACL on remote folder share using C# and Managment Space 3
Network share permissions with WMI 2
Setting permissions on a folder using WMI 0
How to create share only to one user ? 1
Creating File Shares using the System.Management class 0
Add and Remove Folder Permissions in VB.Net 0
Setting folder permissions using VB.Net 0
How to Create Share Folder only to one user ? 1

Top