2

I am writing a class library using C# and .NET 4 that interacts with the filesystem on a shared server over the network. I am trying to adjust some permissions on a folder and I am perfectly capable to add ACEs, but I am struggling to remove them.

This is the code I have so far:

//get ACEs for the working folder.
DirectorySecurity disec = m_diWork.GetAccessControl();

//find out if the account we want to remove is inherited from a parent folder.
bool bIsAccountInherited = disec.GetAccessRules(false, true, typeof(NTAccount)).Cast<AuthorizationRule>().Any(ar => ar.IdentityReference.Value.Equals(act.Value, StringComparison.CurrentCultureIgnoreCase));
if (bIsAccountInherited)
{
    //if so, remove inheritance of ACEs but preserve existing ones.
    disec.SetAccessRuleProtection(true, true);
}

//remove all access to this account.
disec.PurgeAccessRules(act);

//commit changes to working folder.
m_diWork.SetAccessControl(disec);

The variable act is of type NTAccount and refers to a domain user.

The code runs without exceptions or any apparent issues, and the permissions of the target folder are correctly changed to non-inheriting. However, no ACEs are removed at all.

I have tried several different combinations of method calls, also using RemoveAccessRuleAll(), to no avail. What am I doing wrong? Thanks.

CesarGon
  • 15,099
  • 6
  • 57
  • 85
  • check http://stackoverflow.com/questions/1445388/remove-all-directory-permissions – NoviceProgrammer Mar 19 '14 at 18:31
  • @NoviceProgrammer: Thanks, but I am well past that. I know the theory. :-) – CesarGon Mar 19 '14 at 19:00
  • @CesarGon Shouldn't disec.SetAccessRuleProtection(true, true); be disec.SetAccessRuleProtection(true, false); – Brian Mar 20 '14 at 01:36
  • @Brian: No, because I want to preserve (i.e. copy) whatever ACLs the folder is inheriting once I remove the inheritance flag. – CesarGon Mar 20 '14 at 02:40
  • We don't know nearly enough about *act*. Watch out for a domain account and a local machine account having the same name. – Hans Passant Mar 23 '14 at 11:55
  • @HansPassant: I have edited my question now to clarify this. Thanks. – CesarGon Mar 23 '14 at 13:05
  • Well, that's merely what I warned you about, what if it is not the domain user account? You still didn't clarify how you got the *act* object. If you use the simple NTAccount(name) constructor then you are liable to get the local account object. Try NTAccount(domainName, accountName) instead. – Hans Passant Mar 23 '14 at 14:41
  • @HansPassant: I use the `NTAccount(domainName, accountName)` constructor. I have checked. – CesarGon Mar 23 '14 at 16:13

1 Answers1

1

The problem lays in the fact that you are trying to remove inherited access rights what is not allowed. It happens because it is not enough to call SetAccessRuleProtection(true, true). The changes will take effect only when you call SetAccessControl afterwards. In other words you cannot remove inheritance of access rights and modify them in the one shot. It must be done in 2 stages i.e.:

  1. disec.SetAccessRuleProtection(true, true);
  2. m_diWork.SetAccessControl(disec);
  3. disec = m_diWork.GetAccessControl()
  4. disec.PurgeAccessRules(act);
  5. m_diWork.SetAccessControl(disec);

It is not obvious and it doesn't help that PurgeAccessRules doesn't inform about problems with removing access rights.

Michał Komorowski
  • 6,198
  • 1
  • 20
  • 24
  • This worked, so many thanks. I wasted so much time and found the two-step process that you describe documented nowhere! – CesarGon Mar 24 '14 at 12:42