Re: API to change "Allow inheritable permissions...
From: Nick Finco [MSFT] (nfinco_at_online.microsoft.com)
Date: 07/02/03
- Next message: Alan: "event id 540"
- Previous message: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- In reply to: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Next in thread: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Reply: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Jul 2003 11:20:34 -0700
Ok, I see what you are trying to do. You don't want this ACL to inherit any
ACEs from the parent, aka. a Protected ACL. When you have the security
descriptor in memory, add the SE_DACL_PROTECTED flag to its Control field.
Then go ahead and set it using SetNamedSecurityInfo.
N
-- This posting is provided "AS IS" with no warranties, and confers no rights. Any included code samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Tim Bedford" <tim.bedford@ttplabtech.com> wrote in message news:ek7RXWHQDHA.2432@TK2MSFTNGP10.phx.gbl... > Thanks for that Nick, > What I'm doing at present is constructing a new DACL, with one allowed ACE > in it, using SetNamedSecurityInfo to add it. But when I examine the object > there's two ACE's in it. One that it seems to have inheritted. How did that > sneak in there? Isn't there a way to get the DACL to stay as I've > constructed it? > (am I right in thinking that greyed checkboxes mean the permissions are > inheritted?). > thanks, > > Tim > > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message > news:ODEU0v$PDHA.1556@TK2MSFTNGP10.phx.gbl... > > Use GetNamedSecurityInfo to grab the DACL or SACL of the object. Then use > > GetAce to retrieve each ACE until you find the one you are trying to > modify. > > Once you have found the ACE, type-cast it to a ACE_HEADER (you most likely > > already did this to determine the ACE type). Then modify the AceFlags > field > > to include the correct flag. Pass the security descriptor you retrieved > > into SetNamedSecurityInfo to set the modified ACL onto the object. > > > > You could also pass the security descriptor returned from > > GetNamedSecurityInfo into ConvertSecurityDescriptorToSecurityDescriptor, > > modify the SDDL string to reflect the new flags, convert the string back > > into a security descriptor > > (ConvertSecurityDescriptorToStringSecurityDescriptor), and use > > SetNamedSecurityInfo like above. > > > > N > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Any included code samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > > > "Tim Bedford" <tim.bedford@ttplabtech.com> wrote in message > > news:uckEQj#PDHA.3020@TK2MSFTNGP10.phx.gbl... > > > Hi, > > > Windows 2000: Under the Security tab in the right-click, file/dir > > properties > > > dialog thing there's a checkbox to "Allow inheritable permissions from > > > parent to propagate to this object". > > > > > > How do you do this programmatically? I've tried using the flags in the > > > AddAccessAllowedAceEx call on the object in question and its parent > object > > > but can't get it to work. > > > > > > Sorry if this questions been asked a thousand times already. > > > thanks for any help, > > > > > > Tim > > > > > > > > > > > > > > > > > >
- Next message: Alan: "event id 540"
- Previous message: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- In reply to: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Next in thread: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Reply: Tim Bedford: "Re: API to change "Allow inheritable permissions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
