1

I Want to assign permissions to only a single user to a folder in windows using C#, Other users should not be able to open or change the access rights of that folder.

for example if I have 3 users - UserA ,UserB and UserC in Users group. I want to give permission to access a folder only to UserA. If I deny access to users group and allow UserA, then deny permission will take precedence and access to UserA will also be denied.

one work around to this problem is by denying Userb and Userc ,and allowing UserA to access the folder . but this has a problem if after setting the permissions a user account creates then that new account will have permission to the folder. I don't want to have this scenario.

Thanks, Sujith

Sujith Kp
  • 1,075
  • 3
  • 14
  • 27

1 Answers1

6

The default permission for anyone not mentioned in the ACL is "no access" (An Empty DACL grants no access). So, prevent the folder inheriting security from its parent, and assign permissions to UserA only.

(Of course, this doesn't prevent an administrator from taking ownership and thereafter granting permissions for themselves. Nothing can prevent that)

E.g. to create a directory, called C:\FruitBat, that's only accessible to user DOMAIN\User1:

System.Security.AccessControl.DirectorySecurity dacl = new System.Security.AccessControl.DirectorySecurity();
dacl.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(@"DOMAIN\User1",
    System.Security.AccessControl.FileSystemRights.FullControl,
    System.Security.AccessControl.InheritanceFlags.ContainerInherit |
    System.Security.AccessControl.InheritanceFlags.ObjectInherit,
    System.Security.AccessControl.PropagationFlags.None ,
    System.Security.AccessControl.AccessControlType.Allow));
System.IO.Directory.CreateDirectory(@"C:\FruitBat", dacl);
Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • So I want to set permission on e:\. here we are not inheriting anything. when I create new user account , that user account is getting access to this folder. which should not happen. is there anyway to deny access to e:\. I should give permission only to the user who "CREATED the Drive e:\" (I use SolFS to create new drive). Thanks. – Sujith Kp Sep 27 '11 at 07:46
  • @Sujith Kp - you can create a `DirectoryInfo` object on `E:`, create a `dacl` as in my example above, then you [`SetAccessControl`](http://msdn.microsoft.com/en-us/library/system.io.directoryinfo.setaccesscontrol.aspx) – Damien_The_Unbeliever Sep 27 '11 at 07:50
  • thanx,you shake me! – Mohsen.Sharify Nov 03 '16 at 06:13