如何为特定目录的管理员分配目录权限?
How to assign directory permissions to administrator for a particular directory?
我正在尝试仅向管理员分配权限并拒绝其他非管理员用户的访问权限。下面是代码-
DirectoryInfo di = new DirectoryInfo(@"C:\C00");
DirectorySecurity dirSec = di.GetAccessControl();
dirSec.SetAccessRuleProtection(true, false);
SecurityIdentifier systemSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
NTAccount systemAccount = (NTAccount)systemSid.Translate(typeof(NTAccount));
SecurityIdentifier adminSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
NTAccount adminAccount = (NTAccount)adminSid.Translate(typeof(NTAccount));
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
NTAccount userAccount = (NTAccount)userSid.Translate(typeof(NTAccount));
//access rule 1
dirSec.AddAccessRule(new FileSystemAccessRule(systemAccount, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
//access rule 2
dirSec.AddAccessRule(new FileSystemAccessRule(adminAccount, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
//access rule 3
dirSec.AddAccessRule(new FileSystemAccessRule(userAccount, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny));
di.SetAccessControl(dirSec);
return;
有了上面的代码,即使是管理员也无法访问该文件夹,但如果没有注释中表示为 "access rule 3" 的访问规则,它的工作方式是 expected.Can 任何人都可以明确说明我为什么会这样?
请参阅下图以更好地了解 DACL 的工作原理
Windows 在请求的访问被明确授予或拒绝时停止检查访问控制条目。 ACE 的顺序非常重要。请注意,如果示例中的 ACE 顺序不同,则系统可能已授予对线程 A 的访问权限。
关于拒绝 ACE 的一些注意事项
In most cases, you can control access to an object by using
access-allowed ACEs; you do not need to explicitly deny access to an
object. The exception is when an ACE allows access to a group and you
want to deny access to a member of the group. To do this, place an
access-denied ACE for the user in the DACL ahead of the access-allowed
ACE for the group. Note that the order of the ACEs is important
because the system reads the ACEs in sequence until access is granted
or denied. The user's access-denied ACE must appear first; otherwise,
when the system reads the group's access allowed ACE, it will grant
access to the restricted user.
我正在尝试仅向管理员分配权限并拒绝其他非管理员用户的访问权限。下面是代码-
DirectoryInfo di = new DirectoryInfo(@"C:\C00");
DirectorySecurity dirSec = di.GetAccessControl();
dirSec.SetAccessRuleProtection(true, false);
SecurityIdentifier systemSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
NTAccount systemAccount = (NTAccount)systemSid.Translate(typeof(NTAccount));
SecurityIdentifier adminSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
NTAccount adminAccount = (NTAccount)adminSid.Translate(typeof(NTAccount));
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
NTAccount userAccount = (NTAccount)userSid.Translate(typeof(NTAccount));
//access rule 1
dirSec.AddAccessRule(new FileSystemAccessRule(systemAccount, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
//access rule 2
dirSec.AddAccessRule(new FileSystemAccessRule(adminAccount, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
//access rule 3
dirSec.AddAccessRule(new FileSystemAccessRule(userAccount, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny));
di.SetAccessControl(dirSec);
return;
有了上面的代码,即使是管理员也无法访问该文件夹,但如果没有注释中表示为 "access rule 3" 的访问规则,它的工作方式是 expected.Can 任何人都可以明确说明我为什么会这样?
请参阅下图以更好地了解 DACL 的工作原理
Windows 在请求的访问被明确授予或拒绝时停止检查访问控制条目。 ACE 的顺序非常重要。请注意,如果示例中的 ACE 顺序不同,则系统可能已授予对线程 A 的访问权限。
关于拒绝 ACE 的一些注意事项
In most cases, you can control access to an object by using access-allowed ACEs; you do not need to explicitly deny access to an object. The exception is when an ACE allows access to a group and you want to deny access to a member of the group. To do this, place an access-denied ACE for the user in the DACL ahead of the access-allowed ACE for the group. Note that the order of the ACEs is important because the system reads the ACEs in sequence until access is granted or denied. The user's access-denied ACE must appear first; otherwise, when the system reads the group's access allowed ACE, it will grant access to the restricted user.