Hi,

This must be a really simple thing, but I can't seem to find the right
incantation...

I'm trying to set security permissions on a directory using .NET 2.0.
What I'm trying to achieve is the equivalent of checking the, "Allow
inheritable permissions to propagate to this object and all child
objects..." check box on the Advanced Security Settings dialog.  I've
tried every setting for the PropagationFlags, but can't seem to find one
that works.  For example, I might have:

// Add the FileSystemAccessRules to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(sid,

FileSystemRights.FullControl,
                               InheritanceFlags.ContainerInherit |
          InheritanceFlags.ObjectInherit,
                                     PropagationFlags.None,

AccessControlType.Allow));

Sorry if I'm just too thick to see something that's staring me in the face.

Is there a decent reference for this?  I couldn't find anything on the
Web - but perhaps my Google-foo has deserted me.

Cheers


Peter

Hi,

Sorry to reply to myself, but further work that I've done suggests I
should add some more information.

We have a folder in which all user home and profile directories are
created.  For the purposes of this issue, all profile directories are
created inside the home directories.  The directories are created by a
special user, which we'll call useradmin for the sake of this post.  My
application (a .NET remote object hosted by a service) runs as this user.

Obviously useradmin needs to have full permission on this root folder so
that it can create the home and profile directories and set their
permissions.  Equally obviously, Everyone needs to have pass through
permissions so that users can reach their home and profile directories.

In addition, there are two groups of admin users that need full
permissions on the root and created folders (and all subsequent
subfolders and files) - let's say 'helpdesk' and 'support'.

The final position that I want to arrive at is that the user for whom
the home and profile directories are being created is the owner of the
home and profile directories (and all subsequent subfolders and files),
with full permissions on the created folders, subfolders and files; that
the helpdesk and support users also have full permissions on the created
folders and all sub-folders and files.

Pass-through rights for Everyone should stop at the root folder and not
extend into any home and/or profile directories.

The useradmin's permissions should be revoked as soon as the position
above has been satisfactorily created.

I've found that I can get the necessary permissions for the helpdesk and
support user by doing:

dSecurity.SetAccessRuleProtection(false, false);

(I previously had dSecurity.SetAccessRuleProtection(true, false);)

Unfortunately, this means that Everyone and the useradmin user also get
to inherit their permissions, giving them access to the home and profile
directories.

I really am lost on this one, so if anyone can help, I'd be very grateful.

Cheers


Peter


Peter Bradley wrote:
Show quoteHide quote

RE: Application Data
Computing a hash with the managed SHA providers
Live One Care
RE: Application Data
SYSTEM User Access
user not belong to any groups
RE: error 0x80004002 defender cant check for updates
Security Center Out of Date error
block specific security update
Re: trojan virus