Enterprise Solutions


How to get file security information using DirectoryServices

DirectoryServices classes does not fully implement all the features present in ADSI. For the missing features, you can make use of Interop or P/Invoke to call into lower level ADSI implementation. For getting security information on objects like Files, Shares, etc ADSI has interfaces like IADsSecurityUtility, IADsSecurityDescriptor, IADsAccessControlList, etc. There is no direct way to get these interfaces in .Net DirectoryServices classes. This is where COM Interop helps. You can use tlbimp utility to export the types in activeds.tlb type library. Once you have imported the types into managed assembly, you will add refrence to this assembly in your project. If you are using VS.Net IDE for your project then you can directly add refrence to activeds.tlb by right clicking on Refrences node in Solution Explorer. After adding the refrence to this type library, you will need to import ActiveDs namespace in your source file.

using ActiveDs;
							
private void Page_Load(object sender, System.EventArgs e)
{
	ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
	string strFile = Server.MapPath(Request.FilePath).ToString();
	Response.Write("Security Info for file: " + strFile + "<hr>");
	object ob = secuUtil.GetSecurityDescriptor(
					strFile,
					(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
					(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
	if (null != ob)
	{
		// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
		// object is IADsSecurityDescriptor. So we can use the methods on this
		// object to get more information about the secutity descrptor.
		ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)ob;
		string strOwner = sd.Owner;
		Response.Write("<br>" + "Owner: " + strOwner);
		long lRevision = sd.Revision;
		long lControlFlags = sd.Control;
		string strGroup = sd.Group;
		Response.Write("<br>" + "Group: " + strOwner);
		ActiveDs.IADsAccessControlList obDacl = 
			(ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;
		//Enumerate over each Ace in ACL
		int iAceCount = obDacl.AceCount;
		Response.Write("<br>" + "Acess Types:");
		// Get Ace enumerator.
		IEnumerator obAceEnum = obDacl.GetEnumerator();
		while (obAceEnum.MoveNext())
		{
			// Get einformation about Ace.
			IADsAccessControlEntry obAce = (IADsAccessControlEntry)obAceEnum.Current;
			// Get Ace Type.
			ADS_ACETYPE_ENUM lAceType = (ADS_ACETYPE_ENUM)obAce.AceType;
			long lMask = obAce.AccessMask;
			long lAceFlags = obAce.AceFlags;
			long lFlags = obAce.Flags;
			string strObjType = obAce.ObjectType;
			string strTrustee = obAce.Trustee;
			string strType = "";
			switch (lAceType)
			{
				case ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED:
					strType = "Allowed";
					break;
				case ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED:
					strType = "Denied";
					break;
				case ADS_ACETYPE_ENUM.ADS_ACETYPE_SYSTEM_AUDIT:
					strType = "Audit";
					break;
			}
			Response.Write("<hr>");
			Response.Write("<br> Trustee: " + strTrustee);
			Response.Write("<br> Type: " + strType);
			Response.Write("<br> Mask: " + lMask.ToString());
			Response.Write("<br> Flags: " + lAceFlags.ToString());
		}
	}
}
						

We have not fully expanded Ace Mask and Flag properties. These are defined as ADS_RIGHTS_ENUM and ADS_ACEFLAGS_ENUM types. You can look at the documentation to inperpret these values.

Home     About us     Contact us
Copyright    Privacy Policy
Copyright (c) Pardesi Services LLC