8

I am trying to give the permission to access the folder to the user, but when I am trying to run the program, the error says: Some or all identity references could not be translated.

Here is the code that I am using:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.IO;
using System.Security;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Management;
using System.Management.Instrumentation;

namespace FolderLock
{
    public partial class Lock : Form
    {
        public Lock()
        {
            InitializeComponent();

            SetAccess();
        }

        private void Lock_Load(object sender, EventArgs e)
        {

        }

        public void SetAccess()
        {
            DirectoryInfo myDirectoryInfo = new DirectoryInfo("C:/Users/Trov/Desktop/Test");

            DirectorySecurity myDirectorySecurity = myDirectoryInfo.GetAccessControl();

            string User = System.Environment.UserDomainName + "\\" + "92111092";

            myDirectorySecurity.AddAccessRule(new FileSystemAccessRule(User, FileSystemRights.Read, AccessControlType.Deny));

            myDirectoryInfo.SetAccessControl(myDirectorySecurity);
        }

    }
}
Kaoru
  • 2,853
  • 14
  • 34
  • 68
  • Which line is failing? – JWP Nov 12 '14 at 17:09
  • this line sir: `myDirectorySecurity.AddAccessRule(new FileSystemAccessRule(User, FileSystemRights.Read, AccessControlType.Deny));` – Kaoru Nov 12 '14 at 17:10
  • Does the account you are trying to set access for actually exist? The error message is actually an IdentityNotMappedException which "Represents an exception for a principal whose identity could not be mapped to a known identity". I get it when I try to use account named "92111092" and get no exception when using a real account name. – Stephen Kennedy Nov 12 '14 at 18:37
  • Yes, you are correct sir, when I try use account name that actually exist on my computer, it is working. But sir, what about if I installed this program in computer A (computer A have user account name "92111092"), and I installed this program in computer B (computer B does not have user account name "92111092"). But I want computer B not having an access to the "Test" folder also by using the "92111092" that does not exist in the computer B. Thank you. – Kaoru Nov 13 '14 at 05:43
  • You can't set up ACLs for an account which doesn't exist; however, you can set ACLs that will deny access for all users by default, and then add ALLOW ACLs for the specific users who should have access. – jpaugh Aug 02 '17 at 17:12

2 Answers2

11

I have found a way, instead of trying to allow or deny the access to the folder by specific users, I just create a well known authenticated users to deny or allow it for access to the folder.

Here is the code:

public void SetAccess()
        {
            DirectoryInfo myDirectoryInfo = new DirectoryInfo(@"C:/Users/Trov/Desktop/Test");

            var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null); 

            DirectorySecurity myDirectorySecurity = myDirectoryInfo.GetAccessControl();

            myDirectorySecurity.AddAccessRule(new FileSystemAccessRule(sid, FileSystemRights.Read, AccessControlType.Deny));

            myDirectoryInfo.SetAccessControl(myDirectorySecurity);

            this.Hide();

            this.Close();
        }

Thank you

Kaoru
  • 2,853
  • 14
  • 34
  • 68
0

I had this error when i used my code that was applying Group security but using a user. Here is what i did:

'code called:
'THIS CODE IS CALLED IN THE SAME DOMAIN AS THE USER I NEED TO ADD
ApplyUserSecurity({user1,user2}.ToList(), "C:\temp", FileSystemeRights.Modify)


'Method called
Private Sub ApplyUserSecurity(identities As List(Of String), path As String, accessType As FileSystemRights)
     Dim dirInfo As New DirectoryInfo(path)
     Dim dirSec As DirectorySecurity = dirInfo.GetAccessControl(AccessControlSections.All)
     Dim acls = dirSec.GetAccessRules(True, True, GetType(Security.Principal.NTAccount))

    Dim identityFound As Boolean = False
    Dim applyChanges As Boolean = False
    For Each identity As String In identities
        identityFound= False
        For Each acl As FileSystemAccessRule In acls
            If identity = acl.IdentityReference.Value Then
                identityFound = True
                Exit For
            End If
        Next
    
        If Not identityFound Then
            dirSec.AddAccessRule(New FileSystemAccessRule(identity, accessType , AccessControlType.Allow))
            dirSec.AddAccessRule(New FileSystemAccessRule(identity, accessType , InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow))
            applyChanges = True
        End If
    Next
    'Apply changes only once for performance reason
    If applyChanges Then
        dirInfo.SetAccessControl(dirSec)
    End If
End Sub

and here how i apply security for a group (modify).

If Directory.Exists("C:\temp") Then
     folderInfo = New IO.DirectoryInfo("C:\temp")
     folderAcl = folderInfo.GetAccessControl()
     folderAcl.AddAccessRule(New FileSystemAccessRule("domain\groupName", FileSystemRights.Modify, InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow))
     folderInfo.SetAccessControl(folderAcl)
end If
Sophie
  • 324
  • 3
  • 12