将 AD 组的此“仅限文件夹”权限应用于文件夹

时间:2021-07-15 09:59:54

标签: c# directory permissions active-directory file-permissions

我在文件夹权限方面有点挣扎。

我想基本上将 AD 组添加到具有修改访问权限的文件夹中,然后对其进行限制。

问题是我不知道如何申请权限 “仅此文件夹”

目标是对主文件夹设置以下限制:

  • 拒绝删除子文件夹
  • 拒绝删除
  • 拒绝更改权限
  • 拒绝取得所有权

Here is a picture of the windows GUI

我找到了 AccessRule 类,但找不到有关如何使用 C# 执行此操作的任何详细信息

有人知道怎么做吗?

1 个答案:

答案 0 :(得分:0)

我找到了解决方案。 这是代码和信息:

//set params for all access sets
AccessControlType DenyAccess = AccessControlType.Deny;
AccessControlType AllowAccess = AccessControlType.Allow;
InheritanceFlags inheritFlag = InheritanceFlags.None;
InheritanceFlags inheritFlag2 = InheritanceFlags.ContainerInherit;
InheritanceFlags inheritFlag3 = InheritanceFlags.ObjectInherit;
PropagationFlags propagationFlags = PropagationFlags.None;
FileSystemRights access = FileSystemRights.ChangePermissions;
FileSystemRights access2 = FileSystemRights.Delete;
FileSystemRights access3 = FileSystemRights.TakeOwnership;
FileSystemRights access4 = FileSystemRights.DeleteSubdirectoriesAndFiles;
FileSystemRights ReadAccess = FileSystemRights.ReadAndExecute;
FileSystemRights ModifyAccess = FileSystemRights.Modify;

DirectoryInfo info = new DirectoryInfo(strPath);
DirectorySecurity security = info.GetAccessControl();

//set read right for group
NTAccount GroupRead = new NTAccount(StrDomain, strGroupRead);
security.AddAccessRule(new FileSystemAccessRule(GroupRead, ReadAccess, inheritFlag2, propagationFlags, AllowAccess));
security.AddAccessRule(new FileSystemAccessRule(GroupRead, ReadAccess, inheritFlag3, propagationFlags, AllowAccess));

//set Modify right for group
NTAccount GroupModify = new NTAccount(StrDomain, strGoupModify);
security.AddAccessRule(new FileSystemAccessRule(GroupModify, ModifyAccess, inheritFlag2, propagationFlags, AllowAccess));
security.AddAccessRule(new FileSystemAccessRule(GroupModify, ModifyAccess, inheritFlag3, propagationFlags, AllowAccess));

//set special right group
security.AddAccessRule(new FileSystemAccessRule(groupModify, access, inheritFlag, propagationFlags, DenyAccess)); //ChangePermission
security.AddAccessRule(new FileSystemAccessRule(groupModify, access2, inheritFlag, propagationFlags, DenyAccess)); //Delete
security.AddAccessRule(new FileSystemAccessRule(groupModify, access3, inheritFlag, propagationFlags, DenyAccess)); //Ownership
security.AddAccessRule(new FileSystemAccessRule(groupModify, access4, inheritFlag, propagationFlags, DenyAccess)); //Delete subfiles and folders

//add rights to folder
info.SetAccessControl(security);

这为您提供了一个包含读取和修改组的文件夹,修改组不能删除主文件夹,成员也不能对其拥有所有权或更改其权限。

干杯

相关问题
最新问题