C# Folder ACL's not applying

587 views Asked by At

I have recently started learning C# for a project at work which is to write an updated User Creation Tool to replace our old vbscript tool. So far I have completed all the Active Directory side of it but I am having some issues with folder ACL's when creating the profile folder.

I have successfully made a function to remove all folder ACL's and start from scratch but my function to add the ACL's to the folder does not seem to work. Here is the function:

public void CreateFolderACL(string FolderPath, string Account, FileSystemRights Rights, AccessControlType ControlType)
    {
        try
        {
            DirectorySecurity fs = Directory.GetAccessControl(FolderPath);
            AuthorizationRuleCollection rules = fs.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
            fs.AddAccessRule(new FileSystemAccessRule(@"domain\" + Account, Rights, ControlType));
            Directory.SetAccessControl(FolderPath, fs);
        }
        catch(Exception E)
        {
            Console.WriteLine(E);
        }
    }

When I pipe in something like

CreateFolderACL(userData["ProfilePath"] + ".v2", "Domain Admins", FileSystemRights.FullControl, AccessControlType.Allow);

It creates an entry in the folder but no permissions are set (see screenshot below) and it does not set any of the other permissions I try to apply alongside domain admins.

https://i.stack.imgur.com/Iul1i.png

I am new to this and this is my first real program but I have hit a snag and can't figure out what is going on.

The specific error is: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

2

There are 2 answers

0
TheFridgeMaster On BEST ANSWER

Thanks for the response.

Just an update, I played around with it a bit and it turns out the "Some or all identity references could not be translated." message was actually when trying to add permissions for the user account just created, and it couldn't find the user.

Once I commented it out and only tested adding Domain Admins permissions, it finishes executing without error, but the same issue occurs. Domain Admins is added as a permission but only "special permissions" is checked which means full control is not applying.

Without error messages I cannot figure out why this is happening. I thought it might have been because I am removing all ACL's before I apply new ones, so I tried to create a folder and add the Domain Admins permissions without first removing all ACL's and the same thing happens.

Surely it can't be a permissions issue if I can create the folder and purge all ACL's from said folder?

If I right click and try to manually tick full control for Domain Admins and hit apply, I get access denied. I'm not sure where to go from here.

EDIT: If I don't remove the ACL's and I add InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly to the line, it applies the permissions fine. As soon as I try it with the ACL removal first, it fails the same way. This must be a permissions issue, or i'm not rebuilding the ACL correctly.

Final Edit: I got it all sorted. Turns out I needed both Access Rules added:

fs.AddAccessRule(new FileSystemAccessRule(new System.Security.Principal.SecurityIdentifier(Account), Rights, ControlType));
            fs.AddAccessRule(new FileSystemAccessRule(new System.Security.Principal.SecurityIdentifier(Account), Rights, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, ControlType));

Thanks for your help.

0
SteveFerg On

Sounds like it does not like your AddAccessRule. Have a look at: Set File access rule for something similar