Setting folder permissions

[David]

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the directory.
The directory will be in a filestore server so I am passing in a UNC path.
The filestore directory will then also be a virtual directory within an
ASP.NET application, so I need to take those permissions into consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new DirectoryInfo(RootPath);
DirectorySecurity dirSec = hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created fine.
In fact, if I didn't have the permission routine, when I copy a file into my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[Peter Ritchie [C# MVP]]

You have to make sure that first the login under which the service is running
(defaults to SYSTEM) has permission to do the operations you're requesting on
the host in the UNC. I think by default the SYSTEM account on one computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has permission to
create directories (etc).

 

[David]

Thank you...

My service was running under LOCAL SERVICE initially, so I have changed it.
I changed it to my admin account and got everything working.

Since then, I have given it a less priviledged account (an account initially
with guest priviledges) and it stops. So, I promoted it to the Users group
and it still fails, however, it looks like a different failure.

I don't have a domain here, so I am using local accounts to test it...

What happens now is that the folder is created and the account that the
service uses is added to the folder permissions. I am guessing that is
because effectively, my service account is the owner of the service.
However, when I check the permissions, absolutely no permissions have been
granted, just the account is in the list.

My code to assign permissions is...
dirSec.AddAccessRule(new
FileSystemAccessRule(ConfigurationManager.AppSettings["ServiceAccount"],
FileSystemRights.Modify, AccessControlType.Allow));

The above line now does not fail where it did before. So, now I don't know
what else to do...

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

You have to make sure that first the login under which the service is
running
(defaults to SYSTEM) has permission to do the operations you're requesting
on
the host in the UNC. I think by default the SYSTEM account on one
computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has permission
to
create directories (etc).

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the
directory.
The directory will be in a filestore server so I am passing in a UNC
path.
The filestore directory will then also be a virtual directory within an
ASP.NET application, so I need to take those permissions into
consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new
DirectoryInfo(RootPath);
DirectorySecurity dirSec =
hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created
fine.
In fact, if I didn't have the permission routine, when I copy a file into
my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[David]

More info...

If I add my serviceuser into the admins group, everything works. Just having
them in the users group, it fails.

I have made the parent folder Users group have Full Control permissions on
it. These permissions are being copied into the newly created folder, but I
still can't move my files into the folder. On the move, I get an
UnauthorizedAccessException.

:-(

Any clues as to where I should look will be VERY much appreciated.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

Thank you...

My service was running under LOCAL SERVICE initially, so I have changed
it. I changed it to my admin account and got everything working.

Since then, I have given it a less priviledged account (an account
initially with guest priviledges) and it stops. So, I promoted it to the
Users group and it still fails, however, it looks like a different
failure.

I don't have a domain here, so I am using local accounts to test it...

What happens now is that the folder is created and the account that the
service uses is added to the folder permissions. I am guessing that is
because effectively, my service account is the owner of the service.
However, when I check the permissions, absolutely no permissions have been
granted, just the account is in the list.

My code to assign permissions is...
dirSec.AddAccessRule(new
FileSystemAccessRule(ConfigurationManager.AppSettings["ServiceAccount"],
FileSystemRights.Modify, AccessControlType.Allow));

The above line now does not fail where it did before. So, now I don't know
what else to do...

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

You have to make sure that first the login under which the service is
running
(defaults to SYSTEM) has permission to do the operations you're
requesting on
the host in the UNC. I think by default the SYSTEM account on one
computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has
permission to
create directories (etc).

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the
directory.
The directory will be in a filestore server so I am passing in a UNC
path.
The filestore directory will then also be a virtual directory within an
ASP.NET application, so I need to take those permissions into
consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new
DirectoryInfo(RootPath);
DirectorySecurity dirSec =
hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my
pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created
fine.
In fact, if I didn't have the permission routine, when I copy a file
into my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same
first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[Willy Denoyette [MVP]]

So, you are using a local account (your service account) to change the file
permissions on a remote system, right?
Well, this won't work, unless :
- this account is a shadow account, that is an account that exists on both
systems with the exact same credentials.
- and the account has admin privileges on the remote system.

Willy.
,

Thank you...

My service was running under LOCAL SERVICE initially, so I have changed
it. I changed it to my admin account and got everything working.

Since then, I have given it a less priviledged account (an account
initially with guest priviledges) and it stops. So, I promoted it to the
Users group and it still fails, however, it looks like a different
failure.

I don't have a domain here, so I am using local accounts to test it...

What happens now is that the folder is created and the account that the
service uses is added to the folder permissions. I am guessing that is
because effectively, my service account is the owner of the service.
However, when I check the permissions, absolutely no permissions have been
granted, just the account is in the list.

My code to assign permissions is...
dirSec.AddAccessRule(new
FileSystemAccessRule(ConfigurationManager.AppSettings["ServiceAccount"],
FileSystemRights.Modify, AccessControlType.Allow));

The above line now does not fail where it did before. So, now I don't know
what else to do...

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

You have to make sure that first the login under which the service is
running
(defaults to SYSTEM) has permission to do the operations you're
requesting on
the host in the UNC. I think by default the SYSTEM account on one
computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has
permission to
create directories (etc).

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the
directory.
The directory will be in a filestore server so I am passing in a UNC
path.
The filestore directory will then also be a virtual directory within an
ASP.NET application, so I need to take those permissions into
consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new
DirectoryInfo(RootPath);
DirectorySecurity dirSec =
hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my
pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created
fine.
In fact, if I didn't have the permission routine, when I copy a file
into my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same
first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[David]

I was using LOCAL SERVICE but have now changed it.

Currently, I am looking at a share on MY OWN PC, so it is like a loopback. I
am using a local user account. When the app is deployed, it will be on a
server that uses Active Directory.

Do I have to give my local account for the service admin permissions? Doing
that makes it work, but is that not a risk?

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

So, you are using a local account (your service account) to change the
file permissions on a remote system, right?
Well, this won't work, unless :
- this account is a shadow account, that is an account that exists on both
systems with the exact same credentials.
- and the account has admin privileges on the remote system.

Willy.
,

Thank you...

My service was running under LOCAL SERVICE initially, so I have changed
it. I changed it to my admin account and got everything working.

Since then, I have given it a less priviledged account (an account
initially with guest priviledges) and it stops. So, I promoted it to the
Users group and it still fails, however, it looks like a different
failure.

I don't have a domain here, so I am using local accounts to test it...

What happens now is that the folder is created and the account that the
service uses is added to the folder permissions. I am guessing that is
because effectively, my service account is the owner of the service.
However, when I check the permissions, absolutely no permissions have
been granted, just the account is in the list.

My code to assign permissions is...
dirSec.AddAccessRule(new
FileSystemAccessRule(ConfigurationManager.AppSettings["ServiceAccount"],
FileSystemRights.Modify, AccessControlType.Allow));

The above line now does not fail where it did before. So, now I don't
know what else to do...

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

You have to make sure that first the login under which the service is
running
(defaults to SYSTEM) has permission to do the operations you're
requesting on
the host in the UNC. I think by default the SYSTEM account on one
computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has
permission to
create directories (etc).

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#


:

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the
directory.
The directory will be in a filestore server so I am passing in a UNC
path.
The filestore directory will then also be a virtual directory within an
ASP.NET application, so I need to take those permissions into
consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new
DirectoryInfo(RootPath);
DirectorySecurity dirSec =
hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my
pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created
fine.
In fact, if I didn't have the permission routine, when I copy a file
into my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same
first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[Willy Denoyette [MVP]]

I was using LOCAL SERVICE but have now changed it.

Currently, I am looking at a share on MY OWN PC, so it is like a loopback.
I am using a local user account. When the app is deployed, it will be on a
server that uses Active Directory.

Yes, but it's a share, which means it's accessed by the network Server
component as if it was a remote share.
"Local Service" is a local account, is an account that has no network access
permission, hence the "Local".

Do I have to give my local account for the service admin permissions?
Doing that makes it work, but is that not a risk?

You don't have to run your service using *your* local account, create
another non interactive account for this and give this account the required
privileges but nothing more.

Willy.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

So, you are using a local account (your service account) to change the
file permissions on a remote system, right?
Well, this won't work, unless :
- this account is a shadow account, that is an account that exists on
both systems with the exact same credentials.
- and the account has admin privileges on the remote system.

Willy.
,

Thank you...

My service was running under LOCAL SERVICE initially, so I have changed
it. I changed it to my admin account and got everything working.

Since then, I have given it a less priviledged account (an account
initially with guest priviledges) and it stops. So, I promoted it to the
Users group and it still fails, however, it looks like a different
failure.

I don't have a domain here, so I am using local accounts to test it...

What happens now is that the folder is created and the account that the
service uses is added to the folder permissions. I am guessing that is
because effectively, my service account is the owner of the service.
However, when I check the permissions, absolutely no permissions have
been granted, just the account is in the list.

My code to assign permissions is...
dirSec.AddAccessRule(new
FileSystemAccessRule(ConfigurationManager.AppSettings["ServiceAccount"],
FileSystemRights.Modify, AccessControlType.Allow));

The above line now does not fail where it did before. So, now I don't
know what else to do...

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available


You have to make sure that first the login under which the service is
running
(defaults to SYSTEM) has permission to do the operations you're
requesting on
the host in the UNC. I think by default the SYSTEM account on one
computer
has no such rights on another computer. You'll probably want to
install/configure your service to use a specific login that has
permission to
create directories (etc).

--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#


:

Hi,

I am creating a windows service. This service has a filewatcher on it.

When I drop a file, I want to parse the filename then create the
directory.
The directory will be in a filestore server so I am passing in a UNC
path.
The filestore directory will then also be a virtual directory within
an
ASP.NET application, so I need to take those permissions into
consideration.

I am having problems setting the permissions. The error is
UnauthorizedAccessException.

Here is my code...

string RootPath =
ConfigurationManager.AppSettings["StorePathRoot"];
string[] Folder = e.Name.Split('_');

if (Folder[0] != string.Empty)
{
RootPath += Folder[0] + "\\";

if (!Directory.Exists(RootPath))
{
Directory.CreateDirectory(RootPath);

DirectoryInfo hInfo = new
DirectoryInfo(RootPath);
DirectorySecurity dirSec =
hInfo.GetAccessControl();

dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\Everyone", FileSystemRights.Modify,
AccessControlType.Allow));
dirSec.AddAccessRule(new
FileSystemAccessRule(@"david\LOCAL SERVICE", FileSystemRights.Modify,
AccessControlType.Allow));

hInfo.SetAccessControl(dirSec);

}
}

System.IO.File.Move(e.FullPath, RootPath + e.Name);


I set the path in the app.config. This is a UNC path (currently to my
pc,
but will go to a network share). As you can see, I am trying to give
"Everyone" permisssion and "LOCAL SERVICE" permission. It is actually
failing on the first one, "Everyone". The directory is being created
fine.
In fact, if I didn't have the permission routine, when I copy a file
into my
drop folder, it does get moved, though if I copy 2 files into the drop
folder, it stops. (I am copying an xml and a pdf file with the same
first
part of the filename, i.e. test_1.xml and test_1.pdf )

Any help appreciated.

Thanks.
--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available

 

[David]

Yes, but it's a share, which means it's accessed by the network Server
component as if it was a remote share.
"Local Service" is a local account, is an account that has no network
access permission, hence the "Local".

That is what I figured and I did change it (I thought I said that earlier in
the thread). I gave it admin priviledges first and everything worked. I then
gave it user permissions instead and it didn't work.

You don't have to run your service using *your* local account, create
another non interactive account for this and give this account the
required privileges but nothing more.

Willy.

I am running the service from another account now, but what priviledges do I
need to give it? admin works but I feel is too much. User doesn't work, so
obviously not enough.

Do I need a combination of account priveledges and parent folder permissions
to make it work?