This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 32%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
I want to implement a C++ program that removes the "Write" permission alone for a user trustee with "Full Control" permission over a folder on a Windows NTFS drive.
I tried to use the SetEntriesInAcl() function from the aclapi.h API,
but I failed to do so because "REVOKE_ACCESS" AccessMode removed the trustee itself.
I want to remove Write access (that is, I do not want to set a deny or allow access type). Please help me achieve this.
Note: I also tried the below method, which I do not want. Since it is not the correct solution for my needs.
I used "SET_ACCESS" as grfAccessMode, "GENERIC_READ | GENERIC_EXECUTE" as grfAccessPermissions and "SUB_CONTAINERS_AND_OBJECTS_INHERIT" as grfInheritance in EXPLICIT_ACCESS structure for SetEntriesInAcl function. - this gives the final result without "Write" permission, but our action is not like removing Specific permission alone.
this gives the final result without "Write" permission, but our action is not like removing Specific permission alone.
This method is OK, why can't it meet your requirements?
Could you please tell us in detail what your scenario is?
Thank you.
Hi Junjie Zhu,
I want to Remove The Specific Permission alone from the user trustee already with "Full Control" or Any other set of permissions.
So I think, setting "Read" and "Execute" permission to remove "Write" Permission is not the correct modification.
NTFS permissions can be complex particularly when you need to consider propagation to sub-folders and files. A simple scenario is that the permissions on a root folder are inherited by all sub-folder and files and no ACL contains explicit entries. However, this may not be the case. For example, Windows has a number of system folders where the ACLs in their security descriptors are not inherited.
Was the ACE for the trustee in question inherited? How do you want any change to be handled? Do you want to protect the related DACL from inheritance related to future changes?
So as part of any details you provide please clarify the existing and desired result with respect to inheritance and propagation. Posting images from the Advanced Security Settings editor would help us understand the situation.
Following incomplete snippet removes write access and leaves any other permissions in the access mask unchanged.
err = GetExplicitEntriesFromAcl(pDacl, &nEntries, &pExplicit);
if (!err)
{
for (ULONG i = 0; i < nEntries; i++)
{
PEXPLICIT_ACCESS pea = &pExplicit[i];
if (pea->Trustee.TrusteeForm != TRUSTEE_IS_SID)
{
_tprintf(_T("Trustee form was not a SID\n"));
continue;
}
if (pea->Trustee.TrusteeForm == TRUSTEE_IS_SID)
{
if (EqualSid((PSID)pea->Trustee.ptstrName, pts2->Sid))
{
PACL pNewDacl{};
pea->grfAccessMode = SET_ACCESS;
// Remove permissions from access mask
pea->grfAccessPermissions &= ~(WRITE_DAC | WRITE_OWNER | DELETE); // Standard rights
pea->grfAccessPermissions &= ~(FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_DELETE_CHILD); // specific rights
err = SetEntriesInAcl(1, pea, pDacl, &pNewDacl);
if (!err)
{
err = SetNamedSecurityInfo(szFolder, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
nullptr, nullptr, pNewDacl, nullptr);
if (err)
ShowLastError(_T("SetNamedSecurityInfo"), err);
LocalFree(pNewDacl);
}
else
ShowLastError(_T("SetEntriesInAcl"), err);
break;
}
}
}
LocalFree(pExplicit);
}
else
ShowLastError(_T("GetExplicitEntriesFromAcl"), err);
The assumption used is that its OK to let SetNamedSecurityInfo handle propagation of permissions to subfolders/files based on the existing settings in the security descriptor.