You had me at "Hello World" : WMI

How to Give Authenticated Users or Everyone Access to Your Share Programmatically

HelloWorld — Mon, 13 Jul 2009 19:41:40 GMT

Another follow-up from my previous article, Programmatically Configuring Permissions on a Share, David B asked a question, how to share a folder to Everyone, instead of to a specific users. This article will answer that question, based on the code on my previous article.

That is an interesting question, since ‘Everyone’ can be replaced with ‘Authenticated Users’, ‘Network Service’, etc.

First, if you need only to give Everyone read-only access permission, the easiest thing is to set the DACL property of Win32_SecurityDescriptor to null. This is not equal with an array of null. An array of null will lock everyone out from this share.

ManagementObject secDescriptor = new ManagementClass(new ManagementPath("Win32_SecurityDescriptor"), null);
secDescriptor["ControlFlags"] = 4; //SE_DACL_PRESENT 
secDescriptor["DACL"] = null;

If you need to be more explicit, or you need to assign other security principal different access, that method above will not work. As soon as you assign someone access to the share, ‘Everyone’ will lose its read access.

To assign the permission explicitly, the key is to form the correct Win32_Trustee to represent that special account (Network Service, Everyone, Authenticated Users, etc.). Take a look at System.Security.Principal.WellKnownSidType enum. It has a number of well known sid that you might be interested with.

What needs to be done is to assign the SID property of the Win32_Trustee object with the security identifier derived from the well known sid.

Let assume you have this method:

private byte[] GetWellKnwonSid(WellKnownSidType SidType)
{
    SecurityIdentifier Result = new SecurityIdentifier(SidType, null);
    byte[] sidArray = new byte[Result.BinaryLength];
    Result.GetBinaryForm(sidArray, 0);

    return sidArray;
}

Then when Win32_Trustee object is created, assign the SID property as follow:

ManagementObject Trustee = new ManagementClass(new ManagementPath("Win32_Trustee"), null);
Trustee["SID"] = GetWellKnwonSid(WellKnownSidType.WorldSid);

That code above will create Win32_Trustee for ‘Everyone’. Use this Win32_Trustee to form the Win32_Ace, and you now explicitly assign ‘Everyone’ access to your share.

Editing Share Permission

HelloWorld — Tue, 22 Jul 2008 04:00:00 GMT

In my previous post, I have shown you how to set up permission on a share. The thing with Win32_Share, when you set the permission, you basically overwrites the existing permission.

If you want to edit permission on the share (grant a new user access to the share, or revoke an existing user's permission), then you have to get the security descriptor for that share, and modify it, and then call Win32_Share.SetShareInfo to set the share permission.

To get security descriptor of a share, you can use Win32_LogicalShareSecuritySetting class. Then update the security descriptor and set that security descriptor back to the share.

When calling ManagementObject.GetSecurityDescriptor, it will return a ManagementBaseObject instance, it has two properties, ReturnValue and Descriptor. ReturnValue is an integer value, that tells you whether the operation is successful or not. Look for the possible value here. The Descriptor property is an instance of SecurityDescriptor.

To summarize (for those who love bullet points):

Get the Win32_Ace instance for the new user.
Get the current security descriptor.
Get the DACL (Array of Win32_Ace) from the security descriptor.
Add the Win32_Ace for the new user into the Win32_Ace array.
Reassign the edited DACL back to the security descriptor.
Call Win32_Share.SetShareInfo to set the permission.

You can delete a particular user, or changing the existing permission, by modifying the DACL or SACL in the Security Descriptor.

This snippet below is just an example on how to read, modify and assign permission on a share, this code was derived from the example on my previous post.

//Create a new Win32_Ace instance. Please refer to my previous post about creating Win32_Ace.
NTAccount account = new NTAccount("contoso", "janedoe");
SecurityIdentifier sid = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
byte[] sidArray = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidArray, 0);

ManagementObject Trustee = new ManagementClass(new ManagementPath("Win32_Trustee"), null);
Trustee["Domain"] = "contoso";
Trustee["Name"]   = "janedoe";
Trustee["SID"]   = sidArray; 

ManagementObject ACE = new ManagementClass(new ManagementPath("Win32_Ace"), null); 
ACE["AccessMask"] = 2032127; 
ACE["AceFlags"]   = 3; 
ACE["AceType"]    = 0; 
ACE["Trustee"]    = Trustee; 

//After we have the new Win_32Ace, now we need to get the existing Ace instances (DACL).
//Create an instance of Win32_LogicalSecuritySetting, set the path to the server and the share.
ManagementObject Win32LogicalSecuritySetting = new ManagementObject(@"\\ContosoServer\root\cimv2:Win32_LogicalShareSecuritySetting.Name='JohnShare'");

//Call the GetSecurityDescriptor method. This method returns one out parameter.
ManagementBaseObject Return = Win32LogicalSecuritySetting.InvokeMethod("GetSecurityDescriptor", null, null);
    
//The return value of that call above has two properties, ReturnValue, which you can use
//to read the status of the call (failed, success, etc.), and Descriptor, which is an instance
//of Win32_SecurityDescriptor.
Int32 ReturnValue = Convert.ToInt32(Return.Properties["ReturnValue"].Value);

if (ReturnValue != 0)
    throw new Exception(String.Format("Error when calling GetSecurityDescriptor. Error code : {0}.", ReturnValue));

//Retrieve the array of DACL from the Security Descriptor.
ManagementBaseObject SecurityDescriptor = Return.Properties["Descriptor"].Value as ManagementBaseObject;
ManagementBaseObject[] DACL = SecurityDescriptor["DACL"] as ManagementBaseObject[];

if (DACL == null)
    DACL = new ManagementBaseObject[] { ACE };
else
{
    Array.Resize(ref DACL, DACL.Length + 1);
    DACL[DACL.Length - 1] = ACE;
}

//Reassign the new DACL array with the new user Ace back to the Win32_SecurityDescriptor instance, and call the
//SetSecurityDescriptor method.
SecurityDescriptor["DACL"] = DACL;

ManagementObject Share = new ManagementObject(@"\\ContosoServer\root\cimv2:Win32_Share.Name='JohnShare'");
ReturnValue = Convert.ToInt32(Share.InvokeMethod("SetShareInfo", new object[] {Int32.MaxValue, "This is John's share", SecurityDescriptor})); 

if (ReturnValue != 0)
    throw new Exception(String.Format("Error when calling GetSecurityDescriptor. Error code : {0}.", ReturnValue));

Common AccessMask value when Configuring Share Permission Programmatically

HelloWorld — Tue, 10 Jun 2008 02:23:55 GMT

In my previous post, I have shown you how to modify share permission using .Net framework. Access Mask is quite granular, most likely you will need to assign a particular user as 'Full Control', 'Change', or 'Read'. In Vista or Server 2008, it will be 'Co-Owner', 'Contributor', or 'Reader'.

The literal values for those permissions are:

Full Control/Owner/Co-owner = 2032127

Read/Reader = 1179817

Change/Contributor = 1179817

I created an enum flag like this:

[Flags]
public enum AccessMaskEnum
{
    FILE_READ_DATA        = 0x000001,
    FILE_LIST_DIRECTORY   = 0x000001,
    FILE_WRITE_DATA       = 0x000002,
    FILE_ADD_FILE         = 0x000002,
    FILE_APPEND_DATA      = 0x000004,
    FILE_ADD_SUBDIRECTORY = 0x000004,
    FILE_READ_EA          = 0x000008,
    FILE_WRITE_EA         = 0x000010,
    FILE_EXECUTE          = 0x000020,
    FILE_TRAVERSE         = 0x000020,
    FILE_DELETE_CHILD     = 0x000040,
    FILE_READ_ATTRIBUTES  = 0x000080,
    FILE_WRITE_ATTRIBUTES = 0x000100,
    DELETE                = 0x010000,
    READ_CONTROL          = 0x020000,
    WRITE_DAC             = 0x040000,
    WRITE_OWNER           = 0x080000,
    SYNCHRONIZE           = 0x100000,
    OWNER                 = FILE_READ_DATA | FILE_LIST_DIRECTORY | FILE_WRITE_DATA |
                            FILE_ADD_FILE  | FILE_APPEND_DATA    | FILE_ADD_SUBDIRECTORY |
                            FILE_READ_EA   | FILE_WRITE_EA       | FILE_EXECUTE |
                            FILE_TRAVERSE  | FILE_DELETE_CHILD   | FILE_READ_ATTRIBUTES |
                            FILE_WRITE_ATTRIBUTES | DELETE       | READ_CONTROL | 
                            WRITE_DAC      | WRITE_OWNER         | SYNCHRONIZE,
    READ_ONLY             = FILE_READ_DATA | FILE_LIST_DIRECTORY | FILE_READ_EA |
                            FILE_EXECUTE   | FILE_TRAVERSE | FILE_READ_ATTRIBUTES |
                            READ_CONTROL   | SYNCHRONIZE, 
    CONTRIBUTOR           = OWNER & ~(FILE_DELETE_CHILD | WRITE_DAC | WRITE_OWNER)
}

You can assign this enum to the AccessMask property of Win32_Ace instance. For reference, take a look at this link.

I got those values by changing the permission using Windows Explorer and then reading the AccessMask, standard disclaimer apply, use it at your own risk. :)

Programmatically Configuring Permissions on a Share

HelloWorld — Fri, 06 Jun 2008 20:38:00 GMT

I was asked this problem on how to set up permission for a share programmatically using .Net Framework. Well, I am not aware of any API that can do that. Searching does not return any good result. There are lot of resources on how to configure permission settings for local folder, but not so much for UNC path. At the end, I dug msdn and had my solution, using WMI.

To setup a share, you need these information, the share that you want to setup (securable or trustee), whom you will give the permissions to the share (principal), what kind of permissions you want to give.

Using this scenario, you have a share \\ContosoServer\JohnShare, and you want John Doe (contoso\johndoe) to have full access to this share. The steps to configure the share permissions are as follow:

Create a WMI instance of the principal (Win32_Trustee).
//Getting the Sid value is not required for Vista.
NTAccount account = newNTAccount(Domain, UserName);
SecurityIdentifiersid = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
byte[] sidArray = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidArray, 0);

ManagementObject Trustee = new ManagementClass(new ManagementPath("Win32_Trustee"), null);
Trustee["Domain"] = "contoso";
Trustee["Name"] = "johndoe";
Trustee["SID"] = sidArray;
Create a WMI instance of Win32_Ace, assign the Trustee to this Win32_Ace instance.
ManagementObject AdminACE = new ManagementClass(new ManagementPath("Win32_Ace"), null);
AdminACE["AccessMask"] = 2032127;
AdminACE["AceFlags"]   = 3;
AdminACE["AceType"]    = 0;
AdminACE["Trustee"]    = Trustee;

To know what values you need to put there, check msdn (link). I actually encourage you to write an enum flag to encapsulate those values.
In nut shell, 2032127 is for full access, Access Flags 3 is for non-container and container child objects to inherit the ACE, and Ace Type 0 is to allow the trustee to access it.
Create a WMI instance of the security descriptor (Win32_SecurityDescriptor)
ManagementObject secDescriptor = new ManagementClass(new ManagementPath("Win32_SecurityDescriptor"), null);
secDescriptor["ControlFlags"] = 4; //SE_DACL_PRESENT
secDescriptor["DACL"] = new object[] { AdminACE};
Now, create a WMI instance of Win32_Share, and setup the security.
ManagementObject share = new ManagementObject(@"\\ContosoServer\root\cimv2:Win32_Share.Name='JohnShare'");
share.InvokeMethod("SetShareInfo", new object[] {Int32.MaxValue, "This is John's share", secDescriptor});
Check the return value of the Invoke, the method returns an Object, convert it to Int32.

That code will overwrite the existing permission, so be careful. WMI stuff are available in System.Management assemblies.

For references, these are the links that you will be interested with, Win32_Trustee, Win32_ACE, Win32_SecurityDescriptor, and Win32_Share.

Update (6/9/2008)

I updated the first step with the code to assign Sid, thanks to David Smith for his email. With Windows Vista, you do not need to supply Sid. You can supply just the domain name and the user name, it will work. Using Server 2003, and most likely XP, you have to supply all three, user name, domain, and Sid.