Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

setting a files permission (programatically) to be Administrators group

Posted on 1998-08-10
4
312 Views
Last Modified: 2013-12-03
How does one set a file's security permission to be 'Administrators' group - programatically?

All this is for NT server.

To do this from the desktop - right click a file in explorer, choose properties from the popup, in the resulting dialog box choose the second tab called 'security' and then choose 'permissions'. That allows you to set security permissions on the said file to any user or group.

Now I have done this - set a files permissions to a certain user account Programatically. How?
1. Use 'LookupAccountName' to get a users SID.
2. Use 'AddAccessAllowedAce' to associate a ACL to that SID
3. Use 'SetNamedSecurityInfo' to associate that ACL to a file object.

I will like to do the same for a group like 'Administrators'
'LookupAccountName' does not work for Group names!!

Here is what i have tried- used 'AllocateAndInitializeSid' to create a new SID for a group and then associate it with a file object using 'SetNamedSecurityInfo'. No luck!!

If some has some info on this I will appriciate it.

Thanks.

Robin.
0
Comment
Question by:robin_raul
  • 2
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
chensu earned 50 total points
ID: 1413331
So, you are looking for the SID for 'Administrators', aren't you?

Use the well-known SIDs.

DOMAIN_USER_RID_ADMIN The administrative user account in a domain.

DOMAIN_GROUP_RID_ADMINS The domain administrator's group. This account exists only on systems running Windows NT Server, not Windows NT Workstation.

DOMAIN_ALIAS_RID_ADMINS A local group used for administration of the domain.

Look into the Platform SDK documentation about Access Control/Well-Known SIDs.
0
 

Author Comment

by:robin_raul
ID: 1413332
You do know what I am talikg about.
I did try that. See the code below. What I am trying there is
Get ADMIN group's SID using 'AllocateAndInitializeSid' (just as you said) and then attach this SID to the file name (Args[0])
And that has been failing. DO you see any thing wrong there?

Thanks for your help.

pGSID = (PSID) LocalAlloc(LPTR, cbSID);
      if (! AllocateAndInitializeSid(&SIDAuth,                  2,SECURITY_BUILTIN_DOMAIN_RID,
      DOMAIN_ALIAS_RID_ADMINS,
      0,0,0,0,0,0,
      &pGSID) ) {
      MessageBox( NULL, "Could not create SID for Admin Group",
              "ErrorMessage",
              MB_ICONERROR|MB_OK);
            }
      
            
if ( !(ERROR_SUCCESS == SetNamedSecurityInfo  (
                           pArgs[0],                                          SE_FILE_OBJECT,                                          GROUP_SECURITY_INFORMATION,
                  NULL,                                                pGSID,
                  NULL,
                  NULL)) )
      {
            MessageBox( NULL, "Could not set the permissions!!", "Error Message" , MB_ICONERROR|MB_OK );
            return FALSE;
      }
0
 
LVL 23

Expert Comment

by:chensu
ID: 1413333
Did you initialize the SDIAuth structure properly?

You don't need to allocate memory for pSid. The AllocateAndInitializeSid function allocates the memory for you and passes the pointer to pGSID. Use the FreeSid function to free it.

I don't know exactly what is wrong. There may be some useful information at
http://www.mvps.org/win32/security/index.html
0
 

Author Comment

by:robin_raul
ID: 1413334
Yes I did. I had this line in my code

SID_IDENTIFIER_AUTORITY SIDAuth = SECURITYZ_NT_AUTHORITY;

I got all the details from a sample app at MS

premium.microsoft.com/msdn/library/sdkdoc/winbase/accctrl_138u.htm

Wht did work finally is what I had tried first thing, use 'LookupAccountName'. When I tried first I was on my NT workstation. When used that on the server it worked! So original approach, just instead of giving accountname give it a groupname.

NT5 has 'SetNamedSecurityInfoEx' which does exactly the same thing on one call.

Thanks for all the help.

Robin
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes how to programmatically preset the "Pages per Sheet" option that's available with most printer drivers.   This setting lets you do "n-Up" printing, where two, four, or more pages are printed on each sheet of paper. If your …
With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question