Microsoft KB Archive/818362

= How to programmatically set NTFS file system folder permissions by using ADSI in Microsoft Visual Basic .NET =

PSS ID Number: 818362

Article Last Modified on 5/20/2005

-

The information in this article applies to:


 * Microsoft Visual Basic .NET (2003)
 * Microsoft Visual Basic .NET (2002)

-



Content Maintenance:7524

IN THIS TASK

 * Summary
 * Build the Sample
 * Test the Sample
 * References



SUMMARY
This step-by-step article describes how to programmatically set NTFS file system folder permissions by using Active Directory Services Interfaces (ADSI) in Microsoft Visual Basic .NET.

back to the top

Build the Sample
To run the following sample, you must have ADsSecurity.dll. ADsSecurity.dll is part of Active Directory Service Interfaces (ADSI) software development kit (SDK) 2.5. To download ADSI SDK 2.5, visit the following Microsoft Web site:

http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp

You must have administrative credentials on the computer to execute this sample.  Start Microsoft Visual Studio .NET. On the File menu, click New, and then click Project. In Visual Basic Projects, click Windows Application under Templates. Change the application name to NTFSPermissions . Click OK.

By default, Form1 is created. Drag a Button control from the toolbox to Form1. On the Project menu, click Add Reference.</li> Click the COM tab, and then choose the following items: <ul> Active DS Type Library</li> ADsSecurity 2.5 Type Library</li></ul> </li> Click OK.</li> Right-click Form1, and then click View Code.</li>  Add the following code at the top of Form1.vb: Imports ADSSECURITYLib Imports ActiveDs </li>  Add the following code to the Form1 class: ' Set the Permissions for the user account. Sub SetPermissions(ByRef vPath As String, ByVal UserName As String) Dim objADsSec As ADsSecurity Dim objSecDes As SecurityDescriptor Dim objDAcl As AccessControlList Dim objAce As Object Dim objAce1 As AccessControlEntry Dim objAce2 As AccessControlEntry Dim objSId As ADsSID Dim objSIdHex As Object

objADsSec = New ADsSecurity objSecDes = CType(objADsSec.GetSecurityDescriptor(&quot;FILE://&quot; & vPath), SecurityDescriptor) objDAcl = CType(objSecDes.DiscretionaryAcl, AccessControlList)

objSId = New ADsSID objSId.SetAs(ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SAM, CStr(UserName)) objSIdHex = objSId.GetAs(ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SDDL)

' Add a new objAce so that the User has Full Control on NTFS Files. objAce1 = New AccessControlEntry objAce1.Trustee = CStr(objSIdHex) objAce1.AccessMask = ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL objAce1.AceType = ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED objAce1.AceFlags = ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE Or ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ONLY_ACE Or 1 objDAcl.AddAce(objAce1)

' Add a new objAce so that the User has Full Control on NTFS Folders. objAce2 = New AccessControlEntry objAce2.Trustee = CStr(objSIdHex) objAce2.AccessMask = ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL objAce2.AceType = ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED objAce2.AceFlags = ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE Or 1 objDAcl.AddAce(objAce2)

objSecDes.DiscretionaryAcl = objDAcl ' Set Permissions on the NTFS folder. objADsSec.SetSecurityDescriptor(objSecDes)

End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try SetPermissions(&quot;C:\test&quot;, &quot;Domain\UserName&quot;) MsgBox(&quot;Full Access control granted.&quot;) Catch ex As Exception MessageBox.Show(ex.Message) End Try End Sub Note Replace  with the domain name. Replace  with the name of the user who you want to grant permissions to. </li> On the Build menu, click Build Solution.

NTFSPermission.Exe is created.</li></ol>

back to the top

Test the Sample

 * 1) Create a folder on the drive C root directory, and name the folder Test.
 * 2) Right-click the Test folder, and then click Properties.
 * 3) In the Properties window, click the Security tab.
 * 4) Choose the domain account for which you are running this test. If the account is not listed, click Add, and then add the domain account to the list.
 * 5) Under Permissions, click to clear the Full Control check box to restrict the permissions on the folder for this user.
 * 6) Click OK to close the dialog box.
 * 7) Run NTFSPermission.Exe. By default, Form1 is displayed.
 * 8) Click the button. You should receive the following message:Full Access control granted.
 * 9) Click OK to close the message.
 * 10) Close the form to terminate the application.
 * 11) In Windows Explorer, browse to the C:\ folder.
 * 12) Right-click the Test folder, and then click Properties.
 * 13) In the Properties window, click the Security tab.
 * 14) Choose the domain account for which you are running this test, and then verify the permissions on the Test folder.

The specified user on the specified folder has Full Control permission.

back to the top

<div class="references_section">