473,390 Members | 959 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,390 software developers and data experts.

Secruity on remote folders

Hello all,

I've spent a lot of my time on this issue, and I thought it best to
share my solution with the community. A special thanks to Willy
Denoyette for his help. Ive opened about two threads to try and get
this solved and neither of them contain a full solution; but this one
does!

So the scenario is, I need to change the file permissions on a remote
folder using WMI. I was attempting to do this using a UNC path, which
is not the right way to go about it, because when you access file
security from a UNC path with WMI you get the share permissions as
opposed to the physical file permissions (at least this appears to be
how it works -- perhaps Willy, you could confirm?).

This said (as pointed out by Willy), we need to access the security
from a local path, which is possible once you're connected to a remote
machine via a WMI scope/path etc. So, step by step, this is how it's
done -- for those who are having trouble, this is definitely the best
way to do it, and it works.

I have tested the following procedure on a Windows 2003 server, which
is not part of a domain. This has also been tried using ADSI with
little success.

1. Create e a new scope which points to the remote machine.
2. Create a new Win32_LogicalFileSecuritySetting path based on the
scope.
3. Create a new management object based on the above path (file
security).
4. Invoke the GetSecurityDescriptor and gather the out parameters.
5. Retrieve the "Descriptor" property from the out params.
6. From the new "Descriptor" object, retrieve the "Dacl" property.
7. Create a new Win32_Trustee ManagementObject from ManagementClass.
8. Make sure you're using the scope which points to the remote machine.
9. Set the "Name" property to the name of the user account on the
remote machine.
10. Create a new Win32_ACE object from ManagementClass.
11. Set the "Trustee" property to the Win32_Trustee object in step 7.
12. Set the "AccessMask" property of the Win32_ACE object*.
13. If you want to inherit the parent's Dacl, set the "AceFlags"
property to 0x10.
14. Generally speaking you want to have an "Allow" ace, so set the
"AceType" to 0.
15. Convert the current Dacl to an array list (or similar) and add your
ACE to the list.
16. Set the descriptor's "Dacl" property to the Dacl array list
(converted back to an array).
17. From the file security object (step 3) get the parameters for
SetSecurityDescriptor.
18. For the parameters, set the "Descriptor" property to our security
descriptor (step 5).
19. For file security (step 3) invoke the SetSecurityDescriptor passing
the parameters.

Seems like a very complex solution, but for a remote machine, it's the
only way. Again, thanks to Willy for his guidance. Please see below for
the notes on the access mask described in step 12.

Happy coding!

Nick Bolton
Rensoft Web Services
www.rensoft.net

+++++++++++++++++++++++++++++++++++
* I used the following variables to set the bits.

int FILE_READ_DATA = 0x0;
int FILE_WRITE_DATA = 0x1;
int FILE_APPEND_DATA = 0x4;
int DELETE = 0x10000;

If you need to allow a user to modify, I used this but I'm not entirely
sure it's perfect because the Windows security properties still show it
as "special" permissions.

newAce.Properties["AccessMask"].Value = FILE_READ_DATA |
FILE_WRITE_DATA | FILE_APPEND_DATA | DELETE;
+++++++++++++++++++++++++++++++++++

Jan 22 '06 #1
3 2889
Also, this thread may interest you if you're experiencing problems.

http://groups.google.com/group/micro...bb32ee8b5834a9

Jan 22 '06 #2
Another point to note; in step 12, instead of using bitwise flags (as
described in the foot note) you can simple cast enumerations of the
FileSystemRights in to integer. For example...

newAce.Properties["AccessMask"].Value = (int)FileSystemRights.Modify;

Jan 22 '06 #3
With regards to points 4 though 6, if you want to inherit the Dacl
instead of overriding with a new list, start off with a new empty Dacl.
This way you will only add the new ACE which is a more elegant solution.

Jan 22 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: steve | last post by:
Hi, I finally figured out the best way to synch local and remote script folders, containing many php script files. What I used to do before was try to ftp all the changed files, etc. which was...
1
by: Z0gS | last post by:
I got this problem for the web application I try to access files on a remote server. string dirs = Directory.GetDirectories(@"E:\vehicles") E drive is a map to a network drive. I get the...
2
bhcob1
by: bhcob1 | last post by:
Hi, I need to add secruity to my database. I would have just a Database Password, except this gives all users admin rights. There are going to be 2 types of users Admin and Read-Only
1
by: =?Utf-8?B?UHJhZGVlcCBFYXJsYQ==?= | last post by:
Hi I am having one windows application on my local machine and I want to display the folders(shared folders) of remote machine in tree view control of my win application. I haved added me as...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.