Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Setting NTFS permissions

0 views
Skip to first unread message

Jason Edelen

unread,
Mar 8, 1999, 3:00:00 AM3/8/99
to
I am trying to set the NTFS permissions on a directory so that a
specified user is granted Read-only access. I don't want the other ACEs
to be changed.
After the calls, the user I am trying to add is correctly added with the
correct permissions. However, the permissions for the others in the ACL
are changed to 'Special Access'.

Before the call, the ACL for the directory object looks like this:

CREATOR OWNER Full
Control (All)(All)
<Comuter / Domainname >\Administrators Full Control
(All)(All)
SYSTEM
Full Control (All)(All)

Aftwards, it looks like this:

<NewUserID>(<Lastname, Firstname>) Read (RX)(RX)

<Comuter / Domainname >\Administrators Special
Access (All)* (Not Specified)
SYSTEM
Special Access (All)* (Not Specified)

Notice that CREATOR OWNER has been removed and that Special Access has
been granted to both SYSTEM and <Computername /
Domainname>\Administrators. Neither should have been changed. Does
anyone know what I'm doing wrong?

Here is the code:
=========================================================================================================

void SetDirSecurity(LPTSTR DirectoryName, LPTSTR Trustee)
{
PACL ExistingDacl = NULL, NewAcl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS explicitaccess;
DWORD dwError = 0;

dwError = GetNamedSecurityInfo(
DirectoryName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&ExistingDacl,
NULL,
&pSD
);
if(dwError != ERROR_SUCCESS)
{
DisplayErrorMessage(dwError);
}

BuildExplicitAccessWithName(
&explicitaccess,
Trustee,
GENERIC_READ | GENERIC_EXECUTE,
GRANT_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT
);

dwError = SetEntriesInAcl(
1,
&explicitaccess,
ExistingDacl,
&NewAcl
);
if (dwError != ERROR_SUCCESS)
{
DisplayErrorMessage(dwError);
}

dwError = SetNamedSecurityInfo(
DirectoryName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
NewAcl,
NULL
);

if (dwError != ERROR_SUCCESS)
{
DisplayErrorMessage(dwError);
}

if (NewAcl != NULL) AccFree(NewAcl);
if (ExistingDacl != NULL) AccFree(ExistingDacl);
if (pSD != NULL) AccFree(pSD);
}


Jason Edelen

unread,
Mar 8, 1999, 3:00:00 AM3/8/99
to
Where can I go to find examples / pointers on using the low-level APIs to do
the same thing? I spent about a week trying to get the ACLAPIs work.
Thanks for pointing out the other newsgroups.

Thanks in advance
--
Jason Edelen

Simon Fell wrote in message <36e46417....@news.demon.co.uk>...
>the NT4.0 Security API's are broke, you'll have to use the low level
>API's. This has been talked about a number of time in
>microsoft.public.win32.programmer.networks and
>microsoft.public.win32.programmer.kernel


Simon Fell

unread,
Mar 9, 1999, 3:00:00 AM3/9/99
to
the NT4.0 Security API's are broke, you'll have to use the low level
API's. This has been talked about a number of time in
microsoft.public.win32.programmer.networks and
microsoft.public.win32.programmer.kernel

Cheers
Simon
c-call.com dev team

On Mon, 08 Mar 1999 16:42:58 -0600, Jason Edelen <jed...@lsumc.edu>
wrote:

Simon Fell

unread,
Mar 9, 1999, 3:00:00 AM3/9/99
to
On Mon, 8 Mar 1999 19:55:24 -0600, "Jason Edelen" <jed...@lsumc.edu>
wrote:

>Where can I go to find examples / pointers on using the low-level APIs to do


>the same thing? I spent about a week trying to get the ACLAPIs work.
>Thanks for pointing out the other newsgroups.
>
>Thanks in advance

the samples provided in the platform SDK are the best ones i've seen,
but not brilliant.

Cheers
--
Simon Fell
c-call.com dev team

0 new messages