c# 与 NTFS 权限
Hi,
I have done this before while I was creating an application to bulk import users that created the users directory on a remote server and then specified permissions on that folder after creation.
You will need to get your hands on a dll called "ADsSecurity.dll" this contains methods to set permissions etc. You will need to import this into .Net and access it via the COM interop.
I have posted some code I found for the app below, be warned I have not tested this in a while ( it was my.Net conversion from a VB app ) but it should give you an idea about how to set permissions. The methods need to be called like DeleteEveryone, AddAcl then Reorder.
Remember this requires the ADsSecurity dll to be registered inside th project and on your computer (regsvr32).
Hope this helps you on your way.
I have done this before while I was creating an application to bulk import users that created the users directory on a remote server and then specified permissions on that folder after creation.
You will need to get your hands on a dll called "ADsSecurity.dll" this contains methods to set permissions etc. You will need to import this into .Net and access it via the COM interop.
I have posted some code I found for the app below, be warned I have not tested this in a while ( it was my.Net conversion from a VB app ) but it should give you an idea about how to set permissions. The methods need to be called like DeleteEveryone, AddAcl then Reorder.
// ------------------------------------------------------------
//
// Simple wrapping class, publishes one function that sets
// permissions on the specfied folder. It removes the everyone
// DACL and re-orders the DACL's according to the Microsoft
// rules.
//
// ------------------------------------------------------------
/// <summary>
/// Simple wrapper to allow access to the ADsSecurity
/// library
/// </summary>
public class AdSecurityWrap
{
/// <summary>
/// Private reference to the security library
/// </summary>
private ADsSecurityClass adSec;
/// <summary>
/// Default Constructor
/// </summary>
public AdSecurityWrap()
{
// Obtain a reference to the security library
adSec = new ADsSecurityClass();
}
// ---------------------------------------------------------
//
// AdSecurityWrap.DeleteEveryoneDacl( object )
// Iterates through the access control entries on the
// access control list and removes the reference to
// the 'Everyone' access control entry if it is found.
//
// ---------------------------------------------------------
/// <summary>
/// Deletes the 'Everyone' ACE from the SecurityDescriptors
/// DACL
/// </summary>
/// <param name="securityDescriptor">
/// File/Folder security descriptor
/// </param>
private void DeleteEveryoneDacl( object securityDescriptor )
{
// Iterate through the DACL and find the Everone ACE
foreach(object ace in ((AccessControlList)((SecurityDescriptor)securityDescriptor).DiscretionaryAcl) )
{
if( ((AccessControlEntry)ace).Trustee == "Everyone" )
{
((AccessControlList)((SecurityDescriptor)securityDescriptor).DiscretionaryAcl).RemoveAce( ace );
}
}
}
// ---------------------------------------------------------
//
// AdSecurityWrap.ReOrderDacl( object )
// Re-orders the discretionary access control list as
// specified in the Microsoft documentation
//
// ---------------------------------------------------------
/// <summary>
/// Places the ACE's in the DACL in the correct order
/// </summary>
/// <param name="dacl">Discretionary access list</param>
private void ReOrderDacl( object dacl )
{
// Temp access control entry containers
AccessControlListClass newDacl = new AccessControlListClass();
AccessControlListClass impDenyDacl = new AccessControlListClass();
AccessControlListClass inheritedDacl = new AccessControlListClass();
AccessControlListClass impAllowDacl = new AccessControlListClass();
AccessControlListClass inhAllowDacl = new AccessControlListClass();
AccessControlListClass impDenyObjectDacl = new AccessControlListClass();
AccessControlListClass impAllowObjectDacl = new AccessControlListClass();
// Move the parameter dacl into the five bins
foreach( object ace in ((AccessControlList)dacl) )
{
// Check the ACE Flags
if( (((AccessControlEntry)ace).AceFlags &
(int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE) ==
(int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE )
{
// We dont care how these are placed in just do it
inheritedDacl.AddAce( ace );
}
else
{
switch( ((AccessControlEntry)ace).AceFlags )
{
case (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED:
// We have an implicit access allow
impAllowDacl.AddAce( ace );
break;
case (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED:
// We have an implicit deny ace
impDenyDacl.AddAce( ace );
break;
case (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT:
// We have an object allowed ace
impAllowObjectDacl.AddAce( ace );
break;
case (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT:
// We have an object denied ace
impDenyObjectDacl.AddAce( ace );
break;
default:
// Anything else
break;
}
}
}
// Now combine the ACE's in the proper order
foreach( object ace in impDenyDacl )
{
newDacl.AddAce( ace );
}
foreach( object ace in impDenyObjectDacl )
{
newDacl.AddAce( ace );
}
foreach( object ace in impAllowDacl )
{
newDacl.AddAce( ace );
}
foreach( object ace in impAllowObjectDacl )
{
newDacl.AddAce( ace );
}
foreach( object ace in inheritedDacl )
{
newDacl.AddAce( ace );
}
// Set the appropriate revision level for the DACL
newDacl.AclRevision = ((AccessControlList)dacl).AclRevision;
// Save the new DACL
dacl = (object)newDacl;
}
// ---------------------------------------------------------
//
// AdSecurityWrap.AddAce( string, string )
// Adds an access control list to the specified file or
// folder. Both the user and the file/folder need to
// exist
//
// ---------------------------------------------------------
/// <summary>
/// Adds an access control list entry to the specfied file or
/// folders discretionary access control list
/// </summary>
/// <param name="objectPath">Path to the file or folder</param>
/// <param name="usersName">Name of user object to add</param>
public void AddAce( string objectPath, string usersName )
{
// Get the security descriptor for the file/folder
object fileSecDesc = adSec.GetSecurityDescriptor( objectPath );
// Delete the everone ace
this.DeleteEveryoneDacl( fileSecDesc );
// Create the new Access Control Entry
AccessControlEntryClass newAce = new AccessControlEntryClass();
newAce.Trustee = usersName;
newAce.AccessMask = (int)ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_READ |
(int)ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_EXECUTE |
(int)ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_WRITE |
(int)ADS_RIGHTS_ENUM.ADS_RIGHT_DELETE;
newAce.AceFlags = 1 |
(int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
// Add the ace to the file/folder dacl
((AccessControlList)((SecurityDescriptor)fileSecDesc).DiscretionaryAcl).AddAce( newAce );
// Reorder the dacl
this.ReOrderDacl( ((SecurityDescriptor)fileSecDesc).DiscretionaryAcl );
// Set the files security descriptor
adSec.SetSecurityDescriptor( fileSecDesc, objectPath );
}
}
Remember this requires the ADsSecurity dll to be registered inside th project and on your computer (regsvr32).
Hope this helps you on your way.