Determining which groups are assigned to a folder

I believe it will be all PInvoke work. There is a wrapper library on
GotDotNet that might make it easier:
http://www.gotdotnet.com/Community/U...f-e0705af065d9

--
Scott
http://www.OdeToCode.com/blogs/scott/

On 30 Nov 2004 13:53:35 -0800, ag*******@hotmail.com (Garrett) wrote:

Need any help in determining which groups have been given security
access to a folder. Searched DirectoryServices to no avail...

Any Help?

1. Using System.DirectoryServices.
When running on W2K3 or XP, you can use the ADsSecurityUtilityClass now part
of activeds.dll, but you have to create a IA from the activeds.tlb.

using System;
using System.DirectoryServices;
using System.Collections;
using System.Runtime.InteropServices;
using activedsnet; // Interop Assembly created with tlbimp.exe from
activeds.tlb
// use activeds.dll to manage NTFS DACLs
class Tester {
public static void Main() {
// Local file system object (dir or file)
string fileSpec = @"c:\somefolderorfile";
// or remote File system object using a UNC name,
// the current logon user need network access and resource access
privileges
// to the administrative shares (C$, D$ etc...) holding the NTFS resource.

SecurityDescriptor sd = null;
AccessControlList dacl = null;
// Use ADsSecurityUtilityClass available on XP and higher (activeds.dll)
ADsSecurityUtilityClass asu = new ADsSecurityUtilityClass();
// Get DACL and OWNER info
asu.SecurityMask = (int)(ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_OWN ER
| ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL);
try {
sd = asu.GetSecurityDescriptor(fileSpec,
(int)ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
(int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID) as SecurityDescriptor;
}
catch(COMException ce)
{
// Be sure logon user has access to local/remote system
Console.WriteLine(ce.Message);
return;
}
dacl = sd.DiscretionaryAcl as AccessControlList;
if (dacl != null) {
Console.WriteLine("Control: {0}", sd.Control);
Console.WriteLine("Owner: {0}", sd.Owner);
Console.WriteLine("Group: {0}", sd.Group);
Console.WriteLine("Revision: {0}", sd.Revision);
DumpDacl(dacl);
}
}
static void DumpDacl(IADsAccessControlList dacl)
{
IADsAccessControlEntry ace = null;
Console.WriteLine("------- No. of ACE's {0}-----------", dacl.AceCount);
foreach(object ac in dacl) {
ace = ac as IADsAccessControlEntry;
Console.WriteLine(ace.AccessMask);
Console.WriteLine(ace.Trustee);
Console.WriteLine(ace.AceFlags);
}
}
}

2. And a more elaborated sample using System.Management:

using System;
using System.Management;
using System.Collections;
using System.Collections.Specialized;
// Access mask (see AccessMask property)
[Flags]
enum Mask : uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes= 0x00000100,

Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,

AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,

GenericAll = 0x10000000,
GenericExecute= 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[Flags]
enum AceFlags : int
{
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}

[Flags]
enum AceType : int
{
AccessAllowed = 0,
AccessDenied = 1,
Audit = 2
}
class Tester {
public static void Main() {
string fileObject = @"c:\\temp"; // Watch the double Backslashes

using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
ManagementBaseObject outParams = null;
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
outParams = lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if
success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
DumpACEs(dacl);
}
}
}

static void DumpACEs(ManagementBaseObject[] dacl)
{
NameValueCollection sidName = new NameValueCollection();

foreach(ManagementBaseObject mbo in dacl){
Console.WriteLine("\n---------\nMask: {0:X} - Flags: {1} - Type: {2}",
mbo["AccessMask"], mbo["AceFlags"], mbo["AceType"]);
// Access allowed/denied ACE
if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied)
Console.WriteLine("DENIED ACE TYPE");
else
Console.WriteLine("ALLOWED ACE TYPE");
// Dump trustees
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if (Trustee != null)
{
// problem with null names and duplicates
sidName.Add(Trustee.Properties["SIDString"].Value.ToString(),
Trustee.Properties["Name"].Value==null?"null":Trustee.Properties["Name"].Value.ToString());
Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n",
Trustee.Properties["Name"].Value,
Trustee.Properties["Domain"].Value,
Trustee.Properties["SIDString"].Value);
}
// Dump ACE mask in readable form
UInt32 mask = (UInt32)mbo["AccessMask"];
Console.WriteLine(Enum.Format(typeof(Mask), mask, "g"));
}
}
}

Willy.

"Garrett" <ag*******@hotmail.com> wrote in message
news:3a**************************@posting.google.c om...

Need any help in determining which groups have been given security
access to a folder. Searched DirectoryServices to no avail...

Any Help?