Setting NTFS Permissions with C#

Today I needed to set NTFS permissions in C# on some newly created directories.

No problem I thought, the CLR will have something for it somewhere in Security, so I checked Google in the hopes to find which class to use.

But Google didn't find anything... This amazed me. "Why can't I control NTFS permissions with .NET ?!?"

After looking for an hour or so, I found a GotDotNet User Sample, called 'ACLs in .NET'. Finally I thought, now it's going to be plug in and set rights.

Well this library is great. It makes settings NTFS rights so easy.

But it lacks a bit in documentation. Therefore I'm providing some of the code I used with it, it could help you. (or it could show my possibly bad coding style, as far as my knowledge goes for know, it should be fine)

Reference the dll, and use it.

[csharp]using Microsoft.Win32.Security;[/csharp]

Here's a method to add a dir, and set NTFS permissions on it for a given user:

[csharp] private Boolean CreateDir(String strSitePath, String strUserName) { Boolean bOk;

   try {
          Directory.CreateDirectory(strSitePath);
          SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity(strSitePath, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
          Dacl dacl = secDesc.Dacl;
          Sid sidUser = new Sid (strUserName);

          // allow: folder, subfolder and files
          // modify
          dacl.AddAce (new AceAccessAllowed (sidUser, AccessType.GENERIC_WRITE | AccessType.GENERIC_READ | AccessType.DELETE | AccessType.GENERIC_EXECUTE , AceFlags.OBJECT_INHERIT_ACE | AceFlags.CONTAINER_INHERIT_ACE));

          // deny: this folder
          // write attribs
          // write extended attribs
          // delete
          // change permissions
          // take ownership
          DirectoryAccessType DAType = DirectoryAccessType.FILE_WRITE_ATTRIBUTES | DirectoryAccessType.FILE_WRITE_EA | DirectoryAccessType.DELETE | DirectoryAccessType.WRITE_OWNER | DirectoryAccessType.WRITE_DAC;
          AccessType AType = (AccessType)DAType;
          dacl.AddAce (new AceAccessDenied (sidUser, AType));

          secDesc.SetDacl(dacl);
          secDesc.SetFileSecurity(strSitePath, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
          bOk = true;
   } catch {
          bOk = false;
   }

   return bOk;

} / CreateDir / [/csharp]

The AceFlags determine the level of inheritance on the object.

And the DirectoryAccessType is used to create a AccessType with some permissions not in the AccessType enum.

I hope this is useful.