Re: Granting write priviledges to a folder

From: Jeffrey Walton (jwalto1_at_no.spam.umbc.edu)
Date: 11/27/03

Next message: Rhett Gong: "RE: What is the format/structure of UPN string?"
Previous message: Jeffrey Walton: "Re: svchost.exe and test.tmp"
In reply to: Rubio: "Granting write priviledges to a folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 27 Nov 2003 03:25:36 -0500

"Rubio" <anonymous@discussions.microsoft.com> wrote in message
news:6C555CF1-A561-470D-9314-55C717A731FA@microsoft.com...
| I'm trying to grant everything but full control to a well-known local user group
USERS. I basically get the ACL for the folder, create a new EXPLICIT_ACCESS struct,
add that to the ACL and attach the new ACL to the folder object. I don't (me thinks)
have to worry about the order of ACEs on the ACL.
|
| 1. Since I don't know what language Windows is used, I can't use the group name.
I've used the following code to get the USERS group SID. This has to work on NT4 and
later, so I can't use CreateWellKnownSid().
|
| SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY;
|
| dwRes = AllocateAndInitializeSid(&sia,
| 2,
| SECURITY_BUILTIN_DOMAIN_RID,
| DOMAIN_GROUP_RID_USERS,
| 0, 0, 0, 0, 0, 0,
| &pSid);
|
| This will create an ACE for a group 'S-1-5-32-513'. How should I retrieve the SID in
order to have the group USERS appear on the folder ACL?
|
| 2. When initializing the EXPLICIT_ACCESS struct I define grfAccessPermissions as
'GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE', thinking this will grant every
priviledge short of full control. I guess I'll have to add DELETE to that, eh?
|
| -- Rubio

Hi Rubio,

| I don't (me thinks) have to worry about the order of ACEs on the ACL.
Order is very important. Deny before Access.

Also, if the ACE exists, you should delete it before you add another.

I don't have Richter's Programming Server Side Applications handy to answer the other
questions. Do you have access to it?

Jeff

Next message: Rhett Gong: "RE: What is the format/structure of UPN string?"
Previous message: Jeffrey Walton: "Re: svchost.exe and test.tmp"
In reply to: Rubio: "Granting write priviledges to a folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Want to turn permission propagation off in SetNamedSecurityInfo . . .
... The ACL and ACEs were pretty easy to parse, ... The object-specific ACEs are a bit weird and I ... determining the exact algorithms used to propagate the permissions. ... SE_FILE_OBJECT, read the dacl, then deleted any ACEs from the DACL ...
(microsoft.public.platformsdk.security)
Re: DataSnap server DCOM installation.
... > for some reason it's not on my website. ... the ACL with the standard GetSecurityDecriptorDacl API. ... First build an ACL with the ACES you want, ... reg: TRegistry; ...
(borland.public.delphi.nativeapi)
Re: Default Permissions
... When you look using the advanced view you see all ACEs in the ACL ... folder, ... carry no permissions on the contained files. ...
(microsoft.public.security)
Re: Win2k - Account Operator not working properly
... All of the ACEs are applicable. ... > about inherited ACLs the object the inheritence applies to is not listed in the ... It is broken up into multiple sections in the inherited ACL ... > permission for the group and reapply again. ...
(microsoft.public.windows.server.active_directory)