Solved

setting a files permission (programatically) to be Administrators group

Posted on 1998-08-10
4
308 Views
Last Modified: 2013-12-03
How does one set a file's security permission to be 'Administrators' group - programatically?

All this is for NT server.

To do this from the desktop - right click a file in explorer, choose properties from the popup, in the resulting dialog box choose the second tab called 'security' and then choose 'permissions'. That allows you to set security permissions on the said file to any user or group.

Now I have done this - set a files permissions to a certain user account Programatically. How?
1. Use 'LookupAccountName' to get a users SID.
2. Use 'AddAccessAllowedAce' to associate a ACL to that SID
3. Use 'SetNamedSecurityInfo' to associate that ACL to a file object.

I will like to do the same for a group like 'Administrators'
'LookupAccountName' does not work for Group names!!

Here is what i have tried- used 'AllocateAndInitializeSid' to create a new SID for a group and then associate it with a file object using 'SetNamedSecurityInfo'. No luck!!

If some has some info on this I will appriciate it.

Thanks.

Robin.
0
Comment
Question by:robin_raul
  • 2
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
chensu earned 50 total points
ID: 1413331
So, you are looking for the SID for 'Administrators', aren't you?

Use the well-known SIDs.

DOMAIN_USER_RID_ADMIN The administrative user account in a domain.

DOMAIN_GROUP_RID_ADMINS The domain administrator's group. This account exists only on systems running Windows NT Server, not Windows NT Workstation.

DOMAIN_ALIAS_RID_ADMINS A local group used for administration of the domain.

Look into the Platform SDK documentation about Access Control/Well-Known SIDs.
0
 

Author Comment

by:robin_raul
ID: 1413332
You do know what I am talikg about.
I did try that. See the code below. What I am trying there is
Get ADMIN group's SID using 'AllocateAndInitializeSid' (just as you said) and then attach this SID to the file name (Args[0])
And that has been failing. DO you see any thing wrong there?

Thanks for your help.

pGSID = (PSID) LocalAlloc(LPTR, cbSID);
      if (! AllocateAndInitializeSid(&SIDAuth,                  2,SECURITY_BUILTIN_DOMAIN_RID,
      DOMAIN_ALIAS_RID_ADMINS,
      0,0,0,0,0,0,
      &pGSID) ) {
      MessageBox( NULL, "Could not create SID for Admin Group",
              "ErrorMessage",
              MB_ICONERROR|MB_OK);
            }
      
            
if ( !(ERROR_SUCCESS == SetNamedSecurityInfo  (
                           pArgs[0],                                          SE_FILE_OBJECT,                                          GROUP_SECURITY_INFORMATION,
                  NULL,                                                pGSID,
                  NULL,
                  NULL)) )
      {
            MessageBox( NULL, "Could not set the permissions!!", "Error Message" , MB_ICONERROR|MB_OK );
            return FALSE;
      }
0
 
LVL 23

Expert Comment

by:chensu
ID: 1413333
Did you initialize the SDIAuth structure properly?

You don't need to allocate memory for pSid. The AllocateAndInitializeSid function allocates the memory for you and passes the pointer to pGSID. Use the FreeSid function to free it.

I don't know exactly what is wrong. There may be some useful information at
http://www.mvps.org/win32/security/index.html
0
 

Author Comment

by:robin_raul
ID: 1413334
Yes I did. I had this line in my code

SID_IDENTIFIER_AUTORITY SIDAuth = SECURITYZ_NT_AUTHORITY;

I got all the details from a sample app at MS

premium.microsoft.com/msdn/library/sdkdoc/winbase/accctrl_138u.htm

Wht did work finally is what I had tried first thing, use 'LookupAccountName'. When I tried first I was on my NT workstation. When used that on the server it worked! So original approach, just instead of giving accountname give it a groupname.

NT5 has 'SetNamedSecurityInfoEx' which does exactly the same thing on one call.

Thanks for all the help.

Robin
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now