How to remove a permission on a Windows Share programatically

Paul May
Paul May used Ask the Experts™
on
Hi

I have created an application that adds permissions to a Shared Folder on a Window server (this is important as I'm setting permissions on a share and NOT NTFS).

I now need to do the opposite and remove the group 'Everyone' from the Share permission.  I have a piece of code that gets the existing permissions as follows:

 Dim securityDescriptor As ManagementBaseObject = TryCast(securityDescriptorObject.Properties("Descriptor").Value, ManagementBaseObject)
        Dim existingAcessControlEntriesCount As Integer = 0
        Dim accessControlList As ManagementBaseObject() = TryCast(securityDescriptor.Properties("DACL").Value, ManagementBaseObject())

        If accessControlList Is Nothing Then
            accessControlList = New ManagementBaseObject(0) {}
        Else
            existingAcessControlEntriesCount = accessControlList.Length
            Array.Resize(accessControlList, accessControlList.Length + 1)
        End If

As you can see above, I am using an ACL list and I extend it  so that I can then add the new ACL for the group I want to give permissions to.  I now wish to do the opposite and remove an entry from the accessControlList.

Now, I am convinced that if I were to remove one of the existing entries from this accessControlList before committing it back, that would remove a permission for an existing object but I don't know how to enumerate the accessControlList to find the entry I want to remove.

In pseudo-code, this is what I would like to do:

1. Retrieve the existing permissions on the Share (this is done and working as the accessControlList above)
2. Enumerate the accessControlList and find the entry I want to remove (either by name or some other reference)
3. Remove the entry from accessControlList
4. Do the rest of my code (which adds new permissions for other users and groups - this is done and working)
5. Save the entries back to the server with the new set of permissions (this is done and working)

Can someone help me to understand the accessControl, it's contents and properties and how I can find the value I'm looking for and remove it please?  Either c# or VB.NET code would be really helpful.

Thank you.

Paul
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I worked out how to do it.  The following function receives an accessControlList (an array of DCALs), iterates through and copies the permissions to a new array excluding the ones we don't want.

 Function checkTrustees(accessControlList() As ManagementBaseObject) As ManagementBaseObject()
        'This function looks at each trustee permission in the accessControlList and compares the trustee name against the list
        'of those we wish to drop.  If the trustee name matches one that we want to drop then we skip over the item.
        'otherwise we copy all permission to a new array.  What we end up with is an arrary of permissions that don't include the ones we wish to
        'drop.  This will be written back to the s

        'Two string: One to hold the domain name retrieved from the trustee object and one to hold the name of the trustee
        Dim strDomainName As String = ""
        Dim strTrusteeName As String = ""
        Dim newAccessControlList As ManagementBaseObject()

        For intCount = 0 To UBound(accessControlList)
            'Now iterate through the list of permissions and get the trustee name and domain name
            strTrusteeName = CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Name").Value.ToString

            'Get the domain name for this object (could be nothing if it's a well know security principal such as Everyone)
            If CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Domain").Value IsNot Nothing Then
                strDomainName = CType(accessControlList(intCount).GetPropertyValue("Trustee"), ManagementBaseObject).Properties("Domain").Value.ToString()
            End If

            'Test to see if this trustee object is the one we want to get rid of (note, in this example I've harded coded the name but in production this will be a list of groups or users that need to be removed
            If strTrusteeName = "Everyone" Then
                'Do nothing
            Else
                'Redimension or resize the ACL array to hold either the first value or the subsequent values
                If newAccessControlList Is Nothing Then
                    Array.Resize(newAccessControlList, 1)
                Else
                    Array.Resize(newAccessControlList, newAccessControlList.Length + 1)
                End If

                'Now copy the permissions for this object to the new array.  What we end up with is an array of permissions that don't include the ones that we want to drop
                newAccessControlList(newAccessControlList.Length - 1) = accessControlList(intCount)
            End If
        Next

        Return newAccessControlList
    End Function

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial