Share via


How to Give Authenticated Users or Everyone Access to Your Share Programmatically

Another follow-up from my previous article, Programmatically Configuring Permissions on a Share, David B asked a question, how to share a folder to Everyone, instead of to a specific users. This article will answer that question, based on the code on my previous article.

That is an interesting question, since ‘Everyone’ can be replaced with ‘Authenticated Users’, ‘Network Service’, etc.

First, if you need only to give Everyone read-only access permission, the easiest thing is to set the DACL property of Win32_SecurityDescriptor to null. This is not equal with an array of null. An array of null will lock everyone out from this share.

 ManagementObject secDescriptor = new ManagementClass(new ManagementPath("Win32_SecurityDescriptor"), null);
secDescriptor["ControlFlags"] = 4; //SE_DACL_PRESENT 
secDescriptor["DACL"] = null; 

If you need to be more explicit, or you need to assign other security principal different access, that method above will not work. As soon as you assign someone access to the share, ‘Everyone’ will lose its read access.

To assign the permission explicitly, the key is to form the correct Win32_Trustee to represent that special account (Network Service, Everyone, Authenticated Users, etc.). Take a look at System.Security.Principal.WellKnownSidType enum. It has a number of well known sid that you might be interested with.

What needs to be done is to assign the SID property of the Win32_Trustee object with the security identifier derived from the well known sid.

Let assume you have this method:

 private byte[] GetWellKnwonSid(WellKnownSidType SidType)
{
    SecurityIdentifier Result = new SecurityIdentifier(SidType, null);
    byte[] sidArray = new byte[Result.BinaryLength];
    Result.GetBinaryForm(sidArray, 0);

    return sidArray;
}

Then when Win32_Trustee object is created, assign the SID property as follow:

 ManagementObject Trustee = new ManagementClass(new ManagementPath("Win32_Trustee"), null);
Trustee["SID"] = GetWellKnwonSid(WellKnownSidType.WorldSid); 

That code above will create Win32_Trustee for ‘Everyone’. Use this Win32_Trustee to form the Win32_Ace, and you now explicitly assign ‘Everyone’ access to your share.

Comments

  • Anonymous
    December 07, 2010
    I realize that this is an older post But i was wondering could you show an example of the full code working, i need to create a shared folder that everyone can write too, but only members of the Administrator group can read, im using C# 4.0, is there a way to programmaticallydo this? Thanks Scott

  • Anonymous
    January 26, 2011
    Scott, I am not sure I have the time to write a sample application on how to do it, sorry. To do that is possible. Look into the other post, blogs.msdn.com/.../programmatically-configuring-permissions-on-a-share-in-c.aspx. Based on that post, create two Win32_Ace instances, one for admin, the other for everyone, put them into an array and assign the array to the DACL property of Win32_SecurityDescriptor. Make sure to put the administrator Win32_Ace first before Everyone, otherwise, the admin would have read-only permission.