(Beginner) Apply this “folder only” permissions for AD Groups to a folder

maps

New member
Joined
Jul 16, 2021
Messages
2
Programming Experience
Beginner
I'm struggling a bit with folder permissions.

I want to basically add a AD group to a folder with modify access but then restrict it.

Problem is I couldn't figure out how to apply a permission to "this folder only"

The goal is to set the following restrictions to a main folder:

  • deny delete subfolders
  • deny delete
  • deny change permissions
  • deny take ownership
Here is a picture of the windows GUI

I found the AccessRule Class but I can't find any detail on how to do this with C#

Does anyone know how to do this?
 
Solution
I found a solution.
Here is the code and the info:

C#:
    //set params for all access sets
    AccessControlType DenyAccess = AccessControlType.Deny;
    AccessControlType AllowAccess = AccessControlType.Allow;
    InheritanceFlags inheritFlag = InheritanceFlags.None;
    InheritanceFlags inheritFlag2 = InheritanceFlags.ContainerInherit;
    InheritanceFlags inheritFlag3 = InheritanceFlags.ObjectInherit;
    PropagationFlags propagationFlags = PropagationFlags.None;
    FileSystemRights access = FileSystemRights.ChangePermissions;
    FileSystemRights access2 = FileSystemRights.Delete;
    FileSystemRights access3 = FileSystemRights.TakeOwnership;
    FileSystemRights access4 = FileSystemRights.DeleteSubdirectoriesAndFiles...
Here's the method for setting the rule:

Creating a rule on the other hand, is technically not a C# question, but rather a Windows operating system question. I believe that the .NET Framework documentation touches on it tangentially, but the definitive source would be the Windows API documentation regarding ACLs.
 
I found a solution.
Here is the code and the info:

C#:
    //set params for all access sets
    AccessControlType DenyAccess = AccessControlType.Deny;
    AccessControlType AllowAccess = AccessControlType.Allow;
    InheritanceFlags inheritFlag = InheritanceFlags.None;
    InheritanceFlags inheritFlag2 = InheritanceFlags.ContainerInherit;
    InheritanceFlags inheritFlag3 = InheritanceFlags.ObjectInherit;
    PropagationFlags propagationFlags = PropagationFlags.None;
    FileSystemRights access = FileSystemRights.ChangePermissions;
    FileSystemRights access2 = FileSystemRights.Delete;
    FileSystemRights access3 = FileSystemRights.TakeOwnership;
    FileSystemRights access4 = FileSystemRights.DeleteSubdirectoriesAndFiles;
    FileSystemRights ReadAccess = FileSystemRights.ReadAndExecute;
    FileSystemRights ModifyAccess = FileSystemRights.Modify;
    
    DirectoryInfo info = new DirectoryInfo(strPath);
    DirectorySecurity security = info.GetAccessControl();
    
    //set read right for group
    NTAccount GroupRead = new NTAccount(StrDomain, strGroupRead);
    security.AddAccessRule(new FileSystemAccessRule(GroupRead, ReadAccess, inheritFlag2, propagationFlags, AllowAccess));
    security.AddAccessRule(new FileSystemAccessRule(GroupRead, ReadAccess, inheritFlag3, propagationFlags, AllowAccess));
    
    //set Modify right for group
    NTAccount GroupModify = new NTAccount(StrDomain, strGoupModify);
    security.AddAccessRule(new FileSystemAccessRule(GroupModify, ModifyAccess, inheritFlag2, propagationFlags, AllowAccess));
    security.AddAccessRule(new FileSystemAccessRule(GroupModify, ModifyAccess, inheritFlag3, propagationFlags, AllowAccess));
    
    //set special right group
    security.AddAccessRule(new FileSystemAccessRule(groupModify, access, inheritFlag, propagationFlags, DenyAccess)); //ChangePermission
    security.AddAccessRule(new FileSystemAccessRule(groupModify, access2, inheritFlag, propagationFlags, DenyAccess)); //Delete
    security.AddAccessRule(new FileSystemAccessRule(groupModify, access3, inheritFlag, propagationFlags, DenyAccess)); //Ownership
    security.AddAccessRule(new FileSystemAccessRule(groupModify, access4, inheritFlag, propagationFlags, DenyAccess)); //Delete subfiles and folders
    
    //add rights to folder
    info.SetAccessControl(security);



This gives you a folder with a read and modify group and the modify group can't delete the main folder and also the members can't take ownership over it nor change the permissions on it.

cheers
 
Solution
The thing with flags enums is that you can combine the flags into a single value. This example can replace line 29-32:
C#:
var combinedRights = FileSystemRights.ChangePermissions | FileSystemRights.Delete | FileSystemRights.TakeOwnership | FileSystemRights.DeleteSubdirectoriesAndFiles;

security.AddAccessRule(new FileSystemAccessRule(groupModify, combinedRights, noInherit, noPropagation, denyAccess));
Same can be done with line 20-21 and 25-26 with this combination:
C#:
var inheritFilesAndSubfolders = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
You may wonder why only one of these has "Flags" in the name, but it is not the name that determine this feature, it is the Flags attribute - in linked article you can also read more about it. If you look up an enum in Docs you can see if the attribute is applied and it is also explained, see for example FileSystemRights Enum (System.Security.AccessControl) Using "Flags" suffix in type name is actually not recommended in MS own naming guidelines, so seeing something like "InheritanceFlags" is not common for a flags enum.
 
Back
Top Bottom