473,326 Members | 2,196 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Secruity on remote folders

Hello all,

I've spent a lot of my time on this issue, and I thought it best to
share my solution with the community. A special thanks to Willy
Denoyette for his help. Ive opened about two threads to try and get
this solved and neither of them contain a full solution; but this one
does!

So the scenario is, I need to change the file permissions on a remote
folder using WMI. I was attempting to do this using a UNC path, which
is not the right way to go about it, because when you access file
security from a UNC path with WMI you get the share permissions as
opposed to the physical file permissions (at least this appears to be
how it works -- perhaps Willy, you could confirm?).

This said (as pointed out by Willy), we need to access the security
from a local path, which is possible once you're connected to a remote
machine via a WMI scope/path etc. So, step by step, this is how it's
done -- for those who are having trouble, this is definitely the best
way to do it, and it works.

I have tested the following procedure on a Windows 2003 server, which
is not part of a domain. This has also been tried using ADSI with
little success.

1. Create e a new scope which points to the remote machine.
2. Create a new Win32_LogicalFileSecuritySetting path based on the
scope.
3. Create a new management object based on the above path (file
security).
4. Invoke the GetSecurityDescriptor and gather the out parameters.
5. Retrieve the "Descriptor" property from the out params.
6. From the new "Descriptor" object, retrieve the "Dacl" property.
7. Create a new Win32_Trustee ManagementObject from ManagementClass.
8. Make sure you're using the scope which points to the remote machine.
9. Set the "Name" property to the name of the user account on the
remote machine.
10. Create a new Win32_ACE object from ManagementClass.
11. Set the "Trustee" property to the Win32_Trustee object in step 7.
12. Set the "AccessMask" property of the Win32_ACE object*.
13. If you want to inherit the parent's Dacl, set the "AceFlags"
property to 0x10.
14. Generally speaking you want to have an "Allow" ace, so set the
"AceType" to 0.
15. Convert the current Dacl to an array list (or similar) and add your
ACE to the list.
16. Set the descriptor's "Dacl" property to the Dacl array list
(converted back to an array).
17. From the file security object (step 3) get the parameters for
SetSecurityDescriptor.
18. For the parameters, set the "Descriptor" property to our security
descriptor (step 5).
19. For file security (step 3) invoke the SetSecurityDescriptor passing
the parameters.

Seems like a very complex solution, but for a remote machine, it's the
only way. Again, thanks to Willy for his guidance. Please see below for
the notes on the access mask described in step 12.

Happy coding!

Nick Bolton
Rensoft Web Services
www.rensoft.net

+++++++++++++++++++++++++++++++++++
* I used the following variables to set the bits.

int FILE_READ_DATA = 0x0;
int FILE_WRITE_DATA = 0x1;
int FILE_APPEND_DATA = 0x4;
int DELETE = 0x10000;

If you need to allow a user to modify, I used this but I'm not entirely
sure it's perfect because the Windows security properties still show it
as "special" permissions.

newAce.Properties["AccessMask"].Value = FILE_READ_DATA |
FILE_WRITE_DATA | FILE_APPEND_DATA | DELETE;
+++++++++++++++++++++++++++++++++++

Jan 22 '06 #1
3 2886
Also, this thread may interest you if you're experiencing problems.

http://groups.google.com/group/micro...bb32ee8b5834a9

Jan 22 '06 #2
Another point to note; in step 12, instead of using bitwise flags (as
described in the foot note) you can simple cast enumerations of the
FileSystemRights in to integer. For example...

newAce.Properties["AccessMask"].Value = (int)FileSystemRights.Modify;

Jan 22 '06 #3
With regards to points 4 though 6, if you want to inherit the Dacl
instead of overriding with a new list, start off with a new empty Dacl.
This way you will only add the new ACE which is a more elegant solution.

Jan 22 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: steve | last post by:
Hi, I finally figured out the best way to synch local and remote script folders, containing many php script files. What I used to do before was try to ftp all the changed files, etc. which was...
1
by: Z0gS | last post by:
I got this problem for the web application I try to access files on a remote server. string dirs = Directory.GetDirectories(@"E:\vehicles") E drive is a map to a network drive. I get the...
2
bhcob1
by: bhcob1 | last post by:
Hi, I need to add secruity to my database. I would have just a Database Password, except this gives all users admin rights. There are going to be 2 types of users Admin and Read-Only
1
by: =?Utf-8?B?UHJhZGVlcCBFYXJsYQ==?= | last post by:
Hi I am having one windows application on my local machine and I want to display the folders(shared folders) of remote machine in tree view control of my win application. I haved added me as...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.