Hi, I wanna add a new user and grant him the full control acces rights on a directory. I got a function from msdn which helps me to add an ACE to an existing DACL of that folder. After executing the code, the access right is not what I want. Two things that are not right.
1) when i right click on folder -> security -> advanced, it says this access right only applies to "this folder and all subfolders" but I want it to be "folders and all subfolders and files".
2) only the list folder contents checkbox is checked. I want it to be full control.
please help. thanks
the code looks like that:
I have sth like this. I created a directory with a NULL security descriptor (which inherites the parent's security descripter) then i want to add an user to the ACL using a function which I got from msdn. It returns an error... dont know why... please help, thanks.
the code is like this:
my code:
LPTSTR pszObjName = L"Z:\\146371";
SE_OBJECT_TYPE ObjectType = SE_FILE_OBJECT;
LPTSTR pszTrustee = L"US\\146371";
TRUSTEE_FORM TrusteeForm = TRUSTEE_IS_NAME;
DWORD dwAccessRights = GENERIC_ALL;
// i want to grant all accesses (read, write, execute, etc..) to this user
ACCESS_MODE AccessMode = GRANT_ACCESS;
// not sure whether it is grant or set_access
DWORD dwInheritance = CONTAINER_INHERIT_ACE;
AddAceToObjectsSecurityDescriptor(pszObjName,ObjectType,pszTrustee,TrusteeForm,dwAccessRights,AccessMode,dwInheritance);
// function which modify the DACL from msdn
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
// Create a new ACL that merges the new ACE
// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
1) when i right click on folder -> security -> advanced, it says this access right only applies to "this folder and all subfolders" but I want it to be "folders and all subfolders and files".
2) only the list folder contents checkbox is checked. I want it to be full control.
please help. thanks
the code looks like that:
I have sth like this. I created a directory with a NULL security descriptor (which inherites the parent's security descripter) then i want to add an user to the ACL using a function which I got from msdn. It returns an error... dont know why... please help, thanks.
the code is like this:
my code:
LPTSTR pszObjName = L"Z:\\146371";
SE_OBJECT_TYPE ObjectType = SE_FILE_OBJECT;
LPTSTR pszTrustee = L"US\\146371";
TRUSTEE_FORM TrusteeForm = TRUSTEE_IS_NAME;
DWORD dwAccessRights = GENERIC_ALL;
// i want to grant all accesses (read, write, execute, etc..) to this user
ACCESS_MODE AccessMode = GRANT_ACCESS;
// not sure whether it is grant or set_access
DWORD dwInheritance = CONTAINER_INHERIT_ACE;
AddAceToObjectsSecurityDescriptor(pszObjName,ObjectType,pszTrustee,TrusteeForm,dwAccessRights,AccessMode,dwInheritance);
// function which modify the DACL from msdn
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
// Create a new ACL that merges the new ACE
// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}