Microsoft KB Archive/240176

= HOWTO: Set Security on a NTFS Folder Programmatically =

Q240176

-

The information in this article applies to:


 * Microsoft Visual Basic Learning Edition for Windows, versions 5.0, 6.0, on platform(s):
 * the operating system: Microsoft Windows NT
 * Microsoft Visual Basic Professional Edition for Windows, versions 5.0, 6.0, on platform(s):
 * the operating system: Microsoft Windows NT
 * Microsoft Visual Basic Enterprise Edition for Windows, versions 5.0, 6.0, on platform(s):
 * the operating system: Microsoft Windows NT

-

SUMMARY
This article describes how to set security on a folder using security APIs from Visual Basic. The folder needs to be created on an NTFS partition and you need to be a member of the Administrators group. You also need to have read/write permission (READ_CONTRIOL and WRITE_DAC).

This is a modification to the code described in the article Q194757 "HOWTO: Add an Access-Allowed ACE to a File Through Visual Basic"

MORE INFORMATION
All objects in Microsoft Windows NT have security attributes that are described by a Security Descriptor. The Security Descriptor contains information about who owns the object and who has access to the object. The Security Descriptor contains an Access Control List (ACL) specifying the permissions for users and groups on the object. There are two types of ACLs: discretionary and system. The discretionary ACL (DACL) is controlled by the owner of the object. The DACL contains an entry for each user, global group, or local group given access permission to the object. Each of these entries in the list has an Access Control Entry (ACE). An ACE contains an ACE_HEADER structure, along with the access permission for that ACE type and the Security Identifier (SID). The ACE_HEADER defines the type of ACE (ACCESS_ALLOWED_ACE_TYPE or ACCESS_DENIED_ACE_TYPE), the size of the ACE, and the control flags for the ACE. The access permission determine the type of permission (that is, read, write, and so on) that the user or group has. The process below describes how to modify the DACL for a directory. This requires adding two ACEs. One ACE for the directory itself and any subdirectories and another ACE for any files in the directory.

Note

 * The following code changes permissions on a folder to Add & Read or Change.
 * The folder needs to be created on an NTFS partition.
 * You need to be an Administrator on the machine in question and have read/write (READ_CONTROL and WRITE_DAC) access to the file or directory.

Step to Reproduce Behavior

 * 1) Create a Standard EXE project in Visual Basic. Form1 is created by default.
 * 2) Add two Textboxes (Text1 and Text2) and two CommandButtons (Command1 and Command2) to Form1.
 * 3) Add the following code to the General Declarations of Form1.
 * 4) Add a Module (Module1) to the project and add the following code to General Declarations.
 * 5) Run the application.
 * 6) In the Test1 TextBox, enter the name of the folder you want to change permissions on. (D:\test is entered by default.) In the Test2 Textbox, enter the name of the user you want to give these permissions to.
 * 7) Click the Add & Read permissions button to give Add & Read permissions to the folder, or click the Change Permissions button to give Change permissions to the folder.
 * 8) To check the permissions on the folder, right-click Explorer. Select the Properties menu item, and click the Security Tab of the Properties dialog box. On the Security tab, click the Permissions button. The specific account should say Add & Read or Change depending on which button you clicked in the preceding sample.

Again, the folder needs to be created on an NTFS partition, and you need to be an Administrator on the computer in question and have read/write (READ_CONTROL and WRITE_DAC) access to the file or directory.