How to remove a permission on a Windows Share programatically


I have created an application that adds permissions to a Shared Folder on a Window server (this is important as I'm setting permissions on a share and NOT NTFS).

I now need to do the opposite and remove the group 'Everyone' from the Share permission.  I have a piece of code that gets the existing permissions as follows:

 Dim securityDescriptor As ManagementBaseObject = TryCast(securityDescriptorObject.Properties("Descriptor").Value, ManagementBaseObject)
        Dim existingAcessControlEntriesCount As Integer = 0
        Dim accessControlList As ManagementBaseObject() = TryCast(securityDescriptor.Properties("DACL").Value, ManagementBaseObject())

        If accessControlList Is Nothing Then
            accessControlList = New ManagementBaseObject(0) {}
            existingAcessControlEntriesCount = accessControlList.Length
            Array.Resize(accessControlList, accessControlList.Length + 1)
        End If

As you can see above, I am using an ACL list and I extend it  so that I can then add the new ACL for the group I want to give permissions to.  I now wish to do the opposite and remove an entry from the accessControlList.

Now, I am convinced that if I were to remove one of the existing entries from this accessControlList before committing it back, that would remove a permission for an existing object but I don't know how to enumerate the accessControlList to find the entry I want to remove.

In pseudo-code, this is what I would like to do:

1. Retrieve the existing permissions on the Share (this is done and working as the accessControlList above)
2. Enumerate the accessControlList and find the entry I want to remove (either by name or some other reference)
3. Remove the entry from accessControlList
4. Do the rest of my code (which adds new permissions for other users and groups - this is done and working)
5. Save the entries back to the server with the new set of permissions (this is done and working)

Can someone help me to understand the accessControl, it's contents and properties and how I can find the value I'm looking for and remove it please?  Either c# or VB.NET code would be really helpful.

Thank you.

Paul MayAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MayAuthor Commented:
I worked out how to do it.  The following function receives an accessControlList (an array of DCALs), iterates through and copies the permissions to a new array excluding the ones we don't want.

 Function checkTrustees(accessControlList() As ManagementBaseObject) As ManagementBaseObject()
        'This function looks at each trustee permission in the accessControlList and compares the trustee name against the list
        'of those we wish to drop.  If the trustee name matches one that we want to drop then we skip over the item.
        'otherwise we copy all permission to a new array.  What we end up with is an arrary of permissions that don't include the ones we wish to
        'drop.  This will be written back to the s

        'Two string: One to hold the domain name retrieved from the trustee object and one to hold the name of the trustee
        Dim strDomainName As String = ""
        Dim strTrusteeName As String = ""
        Dim newAccessControlList As ManagementBaseObject()

        For intCount = 0 To UBound(accessControlList)
            'Now iterate through the list of permissions and get the trustee name and domain name
            strTrusteeName = CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Name").Value.ToString

            'Get the domain name for this object (could be nothing if it's a well know security principal such as Everyone)
            If CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Domain").Value IsNot Nothing Then
                strDomainName = CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Domain").Value.ToString()
            End If

            'Test to see if this trustee object is the one we want to get rid of (note, in this example I've harded coded the name but in production this will be a list of groups or users that need to be removed
            If strTrusteeName = "Everyone" Then
                'Do nothing
                'Redimension or resize the ACL array to hold either the first value or the subsequent values
                If newAccessControlList Is Nothing Then
                    Array.Resize(newAccessControlList, 1)
                    Array.Resize(newAccessControlList, newAccessControlList.Length + 1)
                End If

                'Now copy the permissions for this object to the new array.  What we end up with is an array of permissions that don't include the ones that we want to drop
                newAccessControlList(newAccessControlList.Length - 1) = accessControlList(intCount)
            End If

        Return newAccessControlList
    End Function

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.