Re: Propagation of permissions


Sorry to reply to myself, but further work that I've done suggests I should add some more information.

We have a folder in which all user home and profile directories are created. For the purposes of this issue, all profile directories are created inside the home directories. The directories are created by a special user, which we'll call useradmin for the sake of this post. My application (a .NET remote object hosted by a service) runs as this user.

Obviously useradmin needs to have full permission on this root folder so that it can create the home and profile directories and set their permissions. Equally obviously, Everyone needs to have pass through permissions so that users can reach their home and profile directories.

In addition, there are two groups of admin users that need full permissions on the root and created folders (and all subsequent subfolders and files) - let's say 'helpdesk' and 'support'.

The final position that I want to arrive at is that the user for whom the home and profile directories are being created is the owner of the home and profile directories (and all subsequent subfolders and files), with full permissions on the created folders, subfolders and files; that the helpdesk and support users also have full permissions on the created folders and all sub-folders and files.

Pass-through rights for Everyone should stop at the root folder and not extend into any home and/or profile directories.

The useradmin's permissions should be revoked as soon as the position above has been satisfactorily created.

I've found that I can get the necessary permissions for the helpdesk and support user by doing:

dSecurity.SetAccessRuleProtection(false, false);

(I previously had dSecurity.SetAccessRuleProtection(true, false);)

Unfortunately, this means that Everyone and the useradmin user also get to inherit their permissions, giving them access to the home and profile directories.

I really am lost on this one, so if anyone can help, I'd be very grateful.



Peter Bradley wrote:

This must be a really simple thing, but I can't seem to find the right incantation...

I'm trying to set security permissions on a directory using .NET 2.0. What I'm trying to achieve is the equivalent of checking the, "Allow inheritable permissions to propagate to this object and all child objects..." check box on the Advanced Security Settings dialog. I've tried every setting for the PropagationFlags, but can't seem to find one that works. For example, I might have:

// Add the FileSystemAccessRules to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(sid,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.None,

Sorry if I'm just too thick to see something that's staring me in the face.

Is there a decent reference for this? I couldn't find anything on the Web - but perhaps my Google-foo has deserted me.