How to programmatically set NTFS file system folder permissions by using Active Directory Service Interfaces in Microsoft Visual C#

This step-by-step article describes how to programmatically set NTFS file system folder permissions by using Active Directory Service Interfaces (ADSI) in Microsoft Visual C#.

Build the sample application

To run the following sample application, you must have the ADsSecurity.dll file and the ADsSecurity.dll file installed. These files are included with the software development kit (SDK) for Active Directory Service Interfaces 2.5. To download the SDK for Active Directory Service Interfaces 2.5, visit the following Microsoft Web site: Note To run the sample application, you must have administrative credentials on the computer.

To build the sample application, follow these steps:

1. Start Microsoft Visual Studio .NET or Microsoft Visual Studio 2005.
2. On the File menu, click New, and then click Project.
3. In Visual C# Projects, click Windows Application under Templates.
   
   Note In Visual Studio 2005, Visual C# Projects is changed to Visual C#.
4. In the Name box, type NTFSPermissions, and then click OK.
5. Add a Button control to the Form1 form.
6. On the Project menu, click Add Reference.
7. Click the COM tab, click to select the following items, and then click OK:
   • Active DS Type Library
   • ADsSecurity 2.5 Type Library
8. Right-click the Form1 form, and then click View Code.
9. Add the following using statements to the top of the source code in the Form1 form.

   using ADSSECURITYLib;
   using ActiveDs;

10. Add the following method to the Form1 class.

    public void SetPermissions(String vPath, String UserName )
    {
    	ADsSecurity objADsSec;
    	SecurityDescriptor objSecDes;
    	AccessControlList objDAcl;
    	AccessControlEntry objAce1;
    	AccessControlEntry objAce2;
    	Object objSIdHex;
    	ADsSID objSId;
    
    	objADsSec = new ADsSecurityClass();
    	objSecDes = (SecurityDescriptor) (objADsSec.GetSecurityDescriptor("FILE://" + vPath));
    	objDAcl = (AccessControlList)objSecDes.DiscretionaryAcl;
    	
    	objSId = new ADsSIDClass();
    	objSId.SetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SAM, UserName.ToString());
    	objSIdHex = objSId.GetAs((int)ADSSECURITYLib.ADS_SID_FORMAT.ADS_SID_SDDL);
    
    	// Add a new access control entry (ACE) object (objAce) so that the user has Full Control permissions on NTFS file system files.
    	objAce1 = new AccessControlEntryClass();
    	objAce1.Trustee = (objSIdHex).ToString();
    	objAce1.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
    	objAce1.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
    	objAce1.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ONLY_ACE | 1;
    	objDAcl.AddAce(objAce1);
    
    	// Add a new access control entry object (objAce) so that the user has Full Control permissions on NTFS file system folders.
    	objAce2 = new AccessControlEntryClass();
    	objAce2.Trustee = (objSIdHex).ToString();
    	objAce2.AccessMask =  (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
    	objAce2.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
    	objAce2.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE | 1;
    	objDAcl.AddAce(objAce2);
    
    	objSecDes.DiscretionaryAcl = objDAcl;
    
    	// Set permissions on the NTFS file system folder.
    	objADsSec.SetSecurityDescriptor(objSecDes,"FILE://" + vPath);
    
    }
    

11. Click the Form1.cs [Design] tab to switch back to design mode.
12. Double-click button1. Replace the button1_Click event code with the following code.

    private void button1_Click(object sender, System.EventArgs e)
    {
    	try 
    	{
    		// Set <Domain> to your domain name.
    		// Set <UserName> to the user account.
    		SetPermissions("C:\\Test", "<Domain>\\<UserName>");
    		MessageBox.Show("Full Access control granted.");
    	}
    	catch (Exception ex)
    	{
    		MessageBox.Show(ex.Message);
    	}
    }

    Note Replace <Domain> with the domain name. Replace <UserName> with the name of the user to whom you want to grant permissions.
13. On the Build menu, click Build Solution.

Test the sample application

1. Create a folder in the drive C root folder. Name the folder Test.
2. In Windows Explorer, right-click the Test folder, and then click Properties.
3. In the Test Properties dialog box, click the Security tab.
4. Select the domain account for which you are running this test. If the account is not listed, click Add, and then add the domain account to the list.
5. Under Permissions, click to clear the Full Control check box to restrict the permissions on the Test folder for this user. Then, click OK.
6. Run the NTFSPermission.exe application. By default, Form1 is displayed.
7. Click button1. You receive the following message:
   Full Access control granted.
8. Click OK to close the message box.
9. Close the form to quit the application.
10. In Windows Explorer, open the C:\ folder.
11. Right-click the Test folder, and then click Properties.
12. In the Test Properties dialog box, click the Security tab.
13. Select the domain account for which you are running this test, and then verify the permissions on the Test folder.

The specified user now has Full Control permissions on the Test folder.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: