Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to programmatically set NTFS file system folder permissions by using Active Directory Service Interfaces in Microsoft Visual C#


View products that this article applies to.

INTRODUCTION

This step-by-step article describes how to programmatically set NTFS file system folder permissions by using Active Directory Service Interfaces (ADSI) in Microsoft Visual C#.

↑ Back to the top


More Information

Build the sample application

To run the following sample application, you must have the ADsSecurity.dll file and the ADsSecurity.dll file installed. These files are included with the software development kit (SDK) for Active Directory Service Interfaces 2.5. To download the SDK for Active Directory Service Interfaces 2.5, visit the following Microsoft Web site: Note To run the sample application, you must have administrative credentials on the computer.

To build the sample application, follow these steps:
  1. Start Microsoft Visual Studio .NET or Microsoft Visual Studio 2005.
  2. On the File menu, click
    New, and then click Project.
  3. In Visual C# Projects, click
    Windows Application under Templates.


    Note In Visual Studio 2005, Visual C# Projects is changed to Visual C#.
  4. In the Name box, type
    NTFSPermissions, and then click
    OK.
  5. Add a Button control to the Form1 form.
  6. On the Project menu, click Add Reference.
  7. Click the COM tab, click to select the following items, and then click OK:
    • Active DS Type Library
    • ADsSecurity 2.5 Type Library
  8. Right-click the Form1 form, and then click
    View Code.
  9. Add the following using statements to the top of the source code in the Form1 form.
    using ADSSECURITYLib;
    using ActiveDs;
  10. Add the following method to the Form1 class.
    public void SetPermissions(String vPath, String UserName )
    {
    ADsSecurity objADsSec;
    SecurityDescriptor objSecDes;
    AccessControlList objDAcl;
    AccessControlEntry objAce1;
    AccessControlEntry objAce2;
    Object objSIdHex;
    ADsSID objSId;

    objADsSec = new ADsSecurityClass();
    objSecDes = (SecurityDescriptor) (objADsSec.GetSecurityDescriptor("FILE://" + vPath));
    objDAcl = (AccessControlList)objSecDes.DiscretionaryAcl;

    objSId = new ADsSIDClass();
    objSId.SetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SAM, UserName.ToString());
    objSIdHex = objSId.GetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SDDL);

    // Add a new access control entry (ACE) object (objAce) so that the user has Full Control permissions on NTFS file system files.
    objAce1 = new AccessControlEntryClass();
    objAce1.Trustee = (objSIdHex).ToString();
    objAce1.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
    objAce1.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
    objAce1.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ONLY_ACE | 1;
    objDAcl.AddAce(objAce1);

    // Add a new access control entry object (objAce) so that the user has Full Control permissions on NTFS file system folders.
    objAce2 = new AccessControlEntryClass();
    objAce2.Trustee = (objSIdHex).ToString();
    objAce2.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
    objAce2.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
    objAce2.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | 1;
    objDAcl.AddAce(objAce2);

    objSecDes.DiscretionaryAcl = objDAcl;

    // Set permissions on the NTFS file system folder.
    objADsSec.SetSecurityDescriptor(objSecDes,"FILE://" + vPath);

    }
  11. Click the Form1.cs [Design] tab to switch back to design mode.
  12. Double-click button1. Replace the
    button1_Click event code with the following code.
    private void button1_Click(object sender, System.EventArgs e)
    {
    try
    {
    // Set <Domain> to your domain name.
    // Set <UserName> to the user account.
    SetPermissions("C:\\Test", "<Domain>\\<UserName>");
    MessageBox.Show("Full Access control granted.");
    }
    catch (Exception ex)
    {
    MessageBox.Show(ex.Message);
    }
    }
    Note Replace <Domain> with the domain name. Replace <UserName> with the name of the user to whom you want to grant permissions.
  13. On the Build menu, click Build Solution.

Test the sample application

  1. Create a folder in the drive C root folder. Name the folder Test.
  2. In Windows Explorer, right-click the Testfolder, and then click Properties.
  3. In the Test Properties dialog box, click the Security tab.
  4. Select the domain account for which you are running this test. If the account is not listed, click Add, and then add the domain account to the list.
  5. Under Permissions, click to clear the
    Full Control check box to restrict the permissions on the Test folder for this user. Then, click OK.
  6. Run the NTFSPermission.exe application. By default,
    Form1 is displayed.
  7. Click button1. You receive the following message:
    Full Access control granted.
  8. Click OK to close the message box.
  9. Close the form to quit the application.
  10. In Windows Explorer, open the C:\ folder.
  11. Right-click the Test folder, and then click Properties.
  12. In the Test Properties dialog box, click the Security tab.
  13. Select the domain account for which you are running this test, and then verify the permissions on the Test folder.
The specified user now has Full Control permissions on the Test folder.

↑ Back to the top


References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
279682 How to use ADsSecurity.dll to add an access control entry to an NTFS folder

266461 How to use ADSI to set automatic inheritance of file/folder permissions

↑ Back to the top


Keywords: kbvcs2005rtmapplies, kbvcs2005rtmsweep, kbprogramming, kbpermissions, kbactivedirectory, kbhowto, kbentirenet, kbinfo, kb

↑ Back to the top

Article Info
Article ID : 899553
Revision : 5
Created on : 6/10/2019
Published on : 6/10/2019
Exists online : False
Views : 459