Problems With ACL Permission Inheritance

Problems With ACL Permission Inheritance

Post by ericmlegau » Wed, 03 Mar 2004 05:29:45


've figured out how to toggle the security inheritance for a given
folder. The code below adds users from one of my classes and gives
them specific rights to the specified folder. I am calling this
procedure for every file folder it is creating under a root. However,
users seem to be inheriting their permissions from parent folders if I
use this:

objAce.AceFlags = ADS_ACEFLAG_UNKNOWN Or ADS_ACEFLAG_INHERIT_ACE

For instance, I'm setting JoeB as Full Control on FolderA, and giving
JoeB Read only on FolderA\FolderA1. He still gets Full Control on
FolderA1, but the inherit permissions check box for the folder is
cleared.

If I use this:

objAce.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE

The users are added, but they have ZERO permissions. I've checked
that the proper rights are being assigned as "objAce.AccessMask =
lngRights", and everything is being assigned as they should. What
could I be doing wrong?

Eric Legault
MVP - Outlook

-------------

Private Sub AssignPermissions(strDirPath As String, curMember As
Member)
On Error GoTo AssignPermissions_Error

Dim objAce As AccessControlEntry
Dim objAdsSecurity As ADsSecurity
Dim objDacl As AccessControlList
Dim objFileSD As SecurityDescriptor
Dim lngRights As Long
Dim lngRead As Long
Dim lngCreate As Long
Dim lngOwner As Long
Dim lngCreateSubs As Long
Dim lngAdmin As Long

' Build the FILE: provider path for the object
strDirPath = "FILE://" & strDirPath
Set objAdsSecurity = Me.CurrentMigration.MySecurityDescriptor
' Retrieve the SD for the file
Set objFileSD = objAdsSecurity.GetSecurityDescriptor(CStr(strDirPath))

If curMember.ReadItems = True Then lngRead =
pfmigrate_FolderRights.ADS_RIGHT_GENERIC_READ
If curMember.CreateItems = True Then lngCreate =
pfmigrate_FolderRights.ADS_RIGHT_GENERIC_WRITE
If curMember.FolderOwner = True Then lngOwner =
pfmigrate_FolderRights.ADS_RIGHT_GENERIC_ALL
If curMember.CreateSubfolders = True Then lngCreateSubs =
pfmigrate_FolderRights.ADS_RIGHT_DS_CREATE_CHILD
If curMember.FolderAdmin = True Then lngAdmin =
pfmigrate_FolderRights.ADS_RIGHT_WRITE_DAC

'*** SHOULD WE DELETE THE Everyone GROUP?
' DeleteEveryoneAce (objFileSD)

objFileSD.Control = objFileSD.Control Or SE_DACL_PROTECTED Or
SE_SACL_PROTECTED
objAdsSecurity.SetSecurityDescriptor objFileSD, CStr(strDirPath)

' Create an IADsAccessControlEntry
Set objAce = CreateObject("AccessControlEntry")
objAce.Trustee = curMember.Trustee
lngRights = lngRead Or lngCreate Or lngOwner Or lngCreateSubs Or
lngAdmin
objAce.AccessMask = lngRights

objAce.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Set objDacl = objFileSD.DiscretionaryAcl
objDacl.AddAce objAce

' Now Reorder the DACL, see comments in ReorderDacl
' subroutine for rules about reordering the DACL

objFileSD.DiscretionaryAcl = objDacl
ReorderDacl objDacl

' Replace the DACL into the Objects Discretionary ACL
objFileSD.DiscretionaryAcl = objDacl
Me.CurrentMigration.LogThis vbTab & "Setting security for " &
curMember.Trustee & " (rights = " & lngRights & ")..."

objAdsSecurity.SetSecurityDescriptor objFileSD

Exitt:
Set objAce = Nothing
Set objAdsSecurity = Nothing
Set objDacl = Nothing
Set objFil
 
 
 

Problems With ACL Permission Inheritance

Post by maxv » Sun, 07 Mar 2004 03:23:34

Please see the discussion of SDs in a previous post.


Here is the breakdown for AceFlag values for an NTFS ace. Please see
winnt.h for other constants that apply to an NTFS ACE.

Apply To:
This Folder Only -> 0
This Folder, Sub Folder and files -> OBJECT_INHERIT_ACE |
CONTAINER_INHERIT_ACE ( 3)
This Folder and Sub Folders -> CONTAINER_INHERIT_ACE (2)
This Folder and Files -> OBJECT_INHERIT_ACE (1)
Sub Folders and Files Only -> OBJECT_INHERIT_ACE | CONTAINER_INTHERIT_ACE |
INHERIT_ONLY_ACE ( 11, 0xB)
Subfolders Only -> CONTAINER_INHERIT_ACE | INHERIT_ONLY _ACE ( 10, 0xA)
Files Only -> OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE ( 9 )


Sincerely,
Max Vaughn [MS]
Microsoft Developer Support


Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.