Link to home
Start Free TrialLog in
Avatar of Paul May
Paul May

asked on

Changing permissions on Windows Shares using VB.NET

We have to remediate a number of open shares on our Windows network.  There are a significant number and I would like to automate the procedure as much as I can using VB.NET.

Without wishing to delve into the business background, the tasks I hope to automate are the creation of a group object in AD, adding users to the group, the removal the Everyone group permission from each share, and then adding a new group permission to the share.  So, the steps are:

1. Audit the access to the share and see which users and groups are accessing the share and the sub-folders (this task is done using Varonis)
2. Create a list of users that have implied access to the share via the Everyone group (this task is done using VB.NET examining the CSV reports from Varonis)
3. Create a group and add the user from step 2 (this task is done using VB.NET)
4. Grant access to the share for the group created in step 3 - to do
5. Remove the Everyone group from the share - to do

I have written the code for steps 1, 2 and 3, the problem I have is how to figure out how to connect to each identified share, remove the Everyone permission and add my new group and the required permission - I don't know how to do it.  This task is compounded by the fact the the shares are on NetApp filers too!

Can anyone help me with VB.NET examples of how to access a share on a server, remove the Everyone permission and add a new permission for my newly created group please?

Thank you.
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

SetACl has a command line version and an OCX version that you can use in your .NET applications
https://helgeklein.com/setacl/
Avatar of Paul May
Paul May

ASKER

Hi Shaun

This appears to be more for VBScript (for scripting hosts) and not for use with VB.NET.  The documentation only suggests VBScript.   Do you have any examples of using this tool with VB.NET please?
From a previous EE_PAQ - https:/Q_28734001.html#a41016321
Imports System.IO
Imports System.Runtime.CompilerServices
Imports System.Security.AccessControl
Imports System.Security.Principal

Module Module1
	Sub Main()
		Dim folder = "C:\testingFolder"
		folder.CreateDirectory()
	End Sub
End Module

Module Extensions
	<Extension()> _
	Public Sub CreateDirectory(ByVal path As String)
		Try
			If Not Directory.Exists(path) Then
				Dim fEveryone = New SecurityIdentifier(WellKnownSidType.WorldSid, Nothing)
				Dim fDirectorySecurity = New DirectorySecurity()
				Dim fFileSystemRights = FileSystemRights.FullControl
				Dim fInheritanceFlags = InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit
				Dim fPropagationFlags = PropagationFlags.None
				Dim fAccessControlType = AccessControlType.Allow
				Dim fDirectoryAccessRule = New FileSystemAccessRule(fEveryone, fFileSystemRights, fInheritanceFlags, fPropagationFlags, fAccessControlType)
				fDirectorySecurity.AddAccessRule(fDirectoryAccessRule)
				Directory.CreateDirectory(path, fDirectorySecurity)
			End If
		Catch ex As PathTooLongException
			Console.WriteLine("The path {0}; was too long.", path)
		Catch ex As UnauthorizedAccessException
			Console.WriteLine("The path {0}; cannot be created because you do not have the rights to create it.", path)
		Catch ex As Exception
			Console.WriteLine("Exception in {0} - {1}; {2}", ex.Source, ex, ex.Message)
		End Try
	End Sub
End Module

Open in new window

-saige-
Hi

Thank you for  your contribution - it looks like the code is creating a folder and setting NTFS permissions for it, whereas I need to set permissions on an existing share which is a different proposal I believe.  Am I correct in my observation or have I misread the code please?

Many thanks again for your help.
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You are correct that this creates a new directory, but setting the permissions on a preexisting directory are just about the same.

-saige-