Solved

setting a files permission (programatically) to be Administrators group

Posted on 1998-08-10
4
314 Views
Last Modified: 2013-12-03
How does one set a file's security permission to be 'Administrators' group - programatically?

All this is for NT server.

To do this from the desktop - right click a file in explorer, choose properties from the popup, in the resulting dialog box choose the second tab called 'security' and then choose 'permissions'. That allows you to set security permissions on the said file to any user or group.

Now I have done this - set a files permissions to a certain user account Programatically. How?
1. Use 'LookupAccountName' to get a users SID.
2. Use 'AddAccessAllowedAce' to associate a ACL to that SID
3. Use 'SetNamedSecurityInfo' to associate that ACL to a file object.

I will like to do the same for a group like 'Administrators'
'LookupAccountName' does not work for Group names!!

Here is what i have tried- used 'AllocateAndInitializeSid' to create a new SID for a group and then associate it with a file object using 'SetNamedSecurityInfo'. No luck!!

If some has some info on this I will appriciate it.

Thanks.

Robin.
0
Comment
Question by:robin_raul
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
chensu earned 50 total points
ID: 1413331
So, you are looking for the SID for 'Administrators', aren't you?

Use the well-known SIDs.

DOMAIN_USER_RID_ADMIN The administrative user account in a domain.

DOMAIN_GROUP_RID_ADMINS The domain administrator's group. This account exists only on systems running Windows NT Server, not Windows NT Workstation.

DOMAIN_ALIAS_RID_ADMINS A local group used for administration of the domain.

Look into the Platform SDK documentation about Access Control/Well-Known SIDs.
0
 

Author Comment

by:robin_raul
ID: 1413332
You do know what I am talikg about.
I did try that. See the code below. What I am trying there is
Get ADMIN group's SID using 'AllocateAndInitializeSid' (just as you said) and then attach this SID to the file name (Args[0])
And that has been failing. DO you see any thing wrong there?

Thanks for your help.

pGSID = (PSID) LocalAlloc(LPTR, cbSID);
      if (! AllocateAndInitializeSid(&SIDAuth,                  2,SECURITY_BUILTIN_DOMAIN_RID,
      DOMAIN_ALIAS_RID_ADMINS,
      0,0,0,0,0,0,
      &pGSID) ) {
      MessageBox( NULL, "Could not create SID for Admin Group",
              "ErrorMessage",
              MB_ICONERROR|MB_OK);
            }
      
            
if ( !(ERROR_SUCCESS == SetNamedSecurityInfo  (
                           pArgs[0],                                          SE_FILE_OBJECT,                                          GROUP_SECURITY_INFORMATION,
                  NULL,                                                pGSID,
                  NULL,
                  NULL)) )
      {
            MessageBox( NULL, "Could not set the permissions!!", "Error Message" , MB_ICONERROR|MB_OK );
            return FALSE;
      }
0
 
LVL 23

Expert Comment

by:chensu
ID: 1413333
Did you initialize the SDIAuth structure properly?

You don't need to allocate memory for pSid. The AllocateAndInitializeSid function allocates the memory for you and passes the pointer to pGSID. Use the FreeSid function to free it.

I don't know exactly what is wrong. There may be some useful information at
http://www.mvps.org/win32/security/index.html
0
 

Author Comment

by:robin_raul
ID: 1413334
Yes I did. I had this line in my code

SID_IDENTIFIER_AUTORITY SIDAuth = SECURITYZ_NT_AUTHORITY;

I got all the details from a sample app at MS

premium.microsoft.com/msdn/library/sdkdoc/winbase/accctrl_138u.htm

Wht did work finally is what I had tried first thing, use 'LookupAccountName'. When I tried first I was on my NT workstation. When used that on the server it worked! So original approach, just instead of giving accountname give it a groupname.

NT5 has 'SetNamedSecurityInfoEx' which does exactly the same thing on one call.

Thanks for all the help.

Robin
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question