Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

setting a files permission (programatically) to be Administrators group

Posted on 1998-08-10
4
Medium Priority
?
319 Views
Last Modified: 2013-12-03
How does one set a file's security permission to be 'Administrators' group - programatically?

All this is for NT server.

To do this from the desktop - right click a file in explorer, choose properties from the popup, in the resulting dialog box choose the second tab called 'security' and then choose 'permissions'. That allows you to set security permissions on the said file to any user or group.

Now I have done this - set a files permissions to a certain user account Programatically. How?
1. Use 'LookupAccountName' to get a users SID.
2. Use 'AddAccessAllowedAce' to associate a ACL to that SID
3. Use 'SetNamedSecurityInfo' to associate that ACL to a file object.

I will like to do the same for a group like 'Administrators'
'LookupAccountName' does not work for Group names!!

Here is what i have tried- used 'AllocateAndInitializeSid' to create a new SID for a group and then associate it with a file object using 'SetNamedSecurityInfo'. No luck!!

If some has some info on this I will appriciate it.

Thanks.

Robin.
0
Comment
Question by:robin_raul
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
chensu earned 200 total points
ID: 1413331
So, you are looking for the SID for 'Administrators', aren't you?

Use the well-known SIDs.

DOMAIN_USER_RID_ADMIN The administrative user account in a domain.

DOMAIN_GROUP_RID_ADMINS The domain administrator's group. This account exists only on systems running Windows NT Server, not Windows NT Workstation.

DOMAIN_ALIAS_RID_ADMINS A local group used for administration of the domain.

Look into the Platform SDK documentation about Access Control/Well-Known SIDs.
0
 

Author Comment

by:robin_raul
ID: 1413332
You do know what I am talikg about.
I did try that. See the code below. What I am trying there is
Get ADMIN group's SID using 'AllocateAndInitializeSid' (just as you said) and then attach this SID to the file name (Args[0])
And that has been failing. DO you see any thing wrong there?

Thanks for your help.

pGSID = (PSID) LocalAlloc(LPTR, cbSID);
      if (! AllocateAndInitializeSid(&SIDAuth,                  2,SECURITY_BUILTIN_DOMAIN_RID,
      DOMAIN_ALIAS_RID_ADMINS,
      0,0,0,0,0,0,
      &pGSID) ) {
      MessageBox( NULL, "Could not create SID for Admin Group",
              "ErrorMessage",
              MB_ICONERROR|MB_OK);
            }
      
            
if ( !(ERROR_SUCCESS == SetNamedSecurityInfo  (
                           pArgs[0],                                          SE_FILE_OBJECT,                                          GROUP_SECURITY_INFORMATION,
                  NULL,                                                pGSID,
                  NULL,
                  NULL)) )
      {
            MessageBox( NULL, "Could not set the permissions!!", "Error Message" , MB_ICONERROR|MB_OK );
            return FALSE;
      }
0
 
LVL 23

Expert Comment

by:chensu
ID: 1413333
Did you initialize the SDIAuth structure properly?

You don't need to allocate memory for pSid. The AllocateAndInitializeSid function allocates the memory for you and passes the pointer to pGSID. Use the FreeSid function to free it.

I don't know exactly what is wrong. There may be some useful information at
http://www.mvps.org/win32/security/index.html
0
 

Author Comment

by:robin_raul
ID: 1413334
Yes I did. I had this line in my code

SID_IDENTIFIER_AUTORITY SIDAuth = SECURITYZ_NT_AUTHORITY;

I got all the details from a sample app at MS

premium.microsoft.com/msdn/library/sdkdoc/winbase/accctrl_138u.htm

Wht did work finally is what I had tried first thing, use 'LookupAccountName'. When I tried first I was on my NT workstation. When used that on the server it worked! So original approach, just instead of giving accountname give it a groupname.

NT5 has 'SetNamedSecurityInfoEx' which does exactly the same thing on one call.

Thanks for all the help.

Robin
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question