Discussion:
File System Permissions Question
(too old to reply)
David White
2009-10-27 19:50:01 UTC
Permalink
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.

The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.

At first glance, it appears that there are at least 2 general approaches
I can take to accomplish the access control portion of the process:

(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.

Thanks
Old Rookie
2009-10-27 21:44:15 UTC
Permalink
I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not
tried the latest versions but it is much more powerful than CACLS or XCACLS.
It is availalbe free at the link below.

http://www.gbordier.com/gbtools/fileacl.asp

Steve
Post by David White
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.
The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.
At first glance, it appears that there are at least 2 general approaches I
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.
Thanks
David White
2009-10-27 23:31:32 UTC
Permalink
Thanks Steve. Interesting indeed!
Post by Old Rookie
I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not
tried the latest versions but it is much more powerful than CACLS or XCACLS.
It is availalbe free at the link below.
http://www.gbordier.com/gbtools/fileacl.asp
Steve
Post by David White
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.
The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.
At first glance, it appears that there are at least 2 general approaches I
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.
Thanks
Florian Frommherz [MVP]
2009-10-27 22:15:38 UTC
Permalink
David,
Post by David White
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
From my limited programming knowledge, I'd probably go with option (a)
- having a local GPO configured programmatically is afaik pretty painful
compared to the effort you'd have to put into one of the pre-definded
tools in (a).

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
David White
2009-10-27 23:34:05 UTC
Permalink
Thanks. As someone not well versed in Group Policies, I am in complete
agreement. But I do want to conform to best practices, if any exist.
Post by Florian Frommherz [MVP]
David,
Post by David White
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
From my limited programming knowledge, I'd probably go with option (a)
- having a local GPO configured programmatically is afaik pretty painful
compared to the effort you'd have to put into one of the pre-definded
tools in (a).
Cheers,
Florian
Gerry Hickman
2009-11-02 23:14:07 UTC
Permalink
Hi,

You may want to check out my thread here (beware word wrap).

http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/5204736623c71a84

It has a lot of information about shortcomings of the various Tools and
APIs and differences between Microsoft o/s and local vs remote. You
won't find this info in the official docs. There's a new twist with
Windows 7 too.

Creating a folder structure programmatically is not that difficult once
you understand all the issues above. I don't think GP will help you. The
APIs you choose will really depend on the rest of your app. Beware the
clowns who try to work with FileSystem permissions over SMB.
Post by David White
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.
The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.
At first glance, it appears that there are at least 2 general approaches
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.
Thanks
--
Gerry Hickman (London UK)
Loading...