Create a Shared Folder and Set permissions in C#

Here is my code to share a folder, remove that share and set permissions using the System.Management library in C#.

Click to Read More

[csharp] using System;
using System.ComponentModel;
using System.IO;
using System.Management;
using System.Reflection;
using System.Security.Principal;
namespace Fortis.Framework.Services.Config
{
internal static class ManagementHelper
{

internal enum MethodStatus : uint
{
[Description("Operation succeeded")] Success = 0,
[Description("Access denied")] AccessDenied = 2,
[Description("Unknown failure")] UnknownFailure = 8,
[Description("Invalid name")] InvalidName = 9,
[Description("Invalid level")] InvalidLevel = 10,
[Description("Invalid parameter")] InvalidParameter = 21,
[Description("Duplicate share")] DuplicateShare = 22,
[Description("Redirected path")] RedirectedPath = 23,
[Description("Unknown device or directory")] UnknownDevice = 24,
[Description("Net name not found")] NetNameNotFound = 25
}

internal enum ShareType : uint
{
[Description("Disk Drive")] DiskDrive = 0x0,
[Description("Print Queue")] PrintQueue = 0x1,
[Description("Device")] Device = 0x2,
[Description("IPC")] IPC = 0x3,
[Description("Disk Drive Admin")] DiskDriveAdmin = 0x80000000,
[Description("Print Queue Admin")] PrintQueueAdmin = 0x80000001,
[Description("Device Admin")] DeviceAdmin = 0x80000002,
[Description("IPC Admin")] IpcAdmin = 0x80000003
}

internal enum ControlFlags : uint
{
SE_OWNER_DEFAULTED = 0x1, //Indicates an SD with a default owner security identifier (SID). Use this bit to find all of the objects that have default owner permissions set.
SE_GROUP_DEFAULTED = 0x2, //Indicates an SD with a default group SID. Use this bit to find all of the objects that have default group permissions set.
SE_DACL_PRESENT = 0x4, //Indicates an SD that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.
SE_DACL_DEFAULTED = 0x8, //Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.
SE_SACL_PRESENT = 0x10, //Indicates an SD that has a system access control list (SACL).
SE_SACL_DEFAULTED = 0x20, //Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.
SE_DACL_AUTO_INHERIT_REQ = 0x100, //Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, the DACL is propagated to any existing child objects, and the SE_DACL_AUTO_INHERITED bit in the SD of the parent and child objects is set.
SE_SACL_AUTO_INHERIT_REQ = 0x200, //Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, the SACL is propagated to any existing child objects, and the SE_SACL_AUTO_INHERITED bit in the SDs of the parent object and child objects is set.
SE_DACL_AUTO_INHERITED = 0x400, //Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.
SE_SACL_AUTO_INHERITED = 0x800, //Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.
SE_DACL_PROTECTED = 0x1000, //Prevents the DACL of an SD from being modified by inheritable ACEs.
SE_SACL_PROTECTED = 0x2000, //Prevents the SACL of an SD from being modified by inheritable ACEs.
SE_SELF_RELATIVE = 0x8000, //Indicates an SD in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.
}

internal enum FileAccessMask : uint
{
FILE_READ_DATA = 0x1, //Grants the right to read data from the file.
FILE_WRITE_DATA = 0x2, //Grants the right to write data to the file.
FILE_APPEND_DATA = 0x4, //Grants the right to append data to the file.
FILE_READ_EA = 0x8, //Grants the right to read extended attributes.
FILE_WRITE_EA = 0x10, //Grants the right to write extended attributes.
FILE_EXECUTE = 0x20, //Grants the right to execute a file.
FILE_DELETE_CHILD = 0x40,//Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
FILE_READ_ATTRIBUTES = 0x80, //Grants the right to read file attributes.
FILE_WRITE_ATTRIBUTES = 0x100, //Grants the right to change file attributes.
DELETE = 0x10000, //Grants delete access.
READ_CONTROL = 0x20000, //Grants read access to the security descriptor and owner.
WRITE_DAC = 0x40000,//Grants write access to the discretionary access control list (ACL).
WRITE_OWNER = 0x80000,//Assigns the write owner.
SYNCHRONIZE = 0x100000,//Synchronizes access and allows a process to wait for an object to enter the signaled state.
}

internal enum FolderAccessMask : uint
{
FILE_LIST_DIRECTORY = 0x1, //Grants the right to list the contents of the directory.
FILE_ADD_FILE = 0x2, //Grants the right to create a file in the directory.
FILE_ADD_SUBDIRECTORY = 0x4, //Grants the right to create a subdirectory.
FILE_READ_EA = 0x8, //Grants the right to read extended attributes.
FILE_WRITE_EA = 0x10, //Grants the right to write extended attributes.
FILE_TRAVERSE = 0x20, //Grants the right to traverse the directory.
FILE_DELETE_CHILD = 0x40,//Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
FILE_READ_ATTRIBUTES = 0x80, //Grants the right to read folder attributes.
FILE_WRITE_ATTRIBUTES = 0x100, //Grants the right to change folder attributes.
DELETE = 0x10000, //Grants delete access.
READ_CONTROL = 0x20000, //Grants read access to the security descriptor and owner.
WRITE_DAC = 0x40000,//Grants write access to the discretionary access control list (ACL).
WRITE_OWNER = 0x80000,//Assigns the write owner.
SYNCHRONIZE = 0x100000,//Synchronizes access and allows a process to wait for an object to enter the signaled state.
}

internal const uint FolderAccessFullControl = (uint)
(FolderAccessMask.FILE_LIST_DIRECTORY | FolderAccessMask.FILE_ADD_FILE |
FolderAccessMask.FILE_TRAVERSE | FolderAccessMask.FILE_ADD_SUBDIRECTORY |
FolderAccessMask.FILE_READ_EA | FolderAccessMask.FILE_WRITE_EA |
FolderAccessMask.FILE_DELETE_CHILD | FolderAccessMask.FILE_READ_ATTRIBUTES |
FolderAccessMask.FILE_WRITE_ATTRIBUTES | FolderAccessMask.DELETE |
FolderAccessMask.WRITE_DAC | FolderAccessMask.READ_CONTROL |
FolderAccessMask.WRITE_OWNER | FolderAccessMask.SYNCHRONIZE);

internal enum AceFlags : uint
{
OBJECT_INHERIT_ACE = 0x1, //Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONTAINER_INHERIT_ACE = 0x2, //Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
NO_PROPAGATE_INHERIT_ACE = 0x4, //If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects.
INHERIT_ONLY_ACE = 0x8, //Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached. Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags.
INHERITED_ACE = 0x10, //The system sets this bit when it propagates an inherited ACE to a child object.
SUCCESSFUL_ACCESS_ACE_FLAG = 0x40, //Used with system-audit ACEs in an SACL to generate audit messages for successful access attempts.
FAILED_ACCESS_ACE_FLAG = 0x80 //Used with system-audit ACEs in an SACL to generate audit messages for failed access attempts.
}

internal enum AceType : uint
{
Access_Allowed = 0,
Access_Denied = 1,
Audit = 2
}

internal static string GetDescription(this Enum value)
{
FieldInfo fi = value.GetType().GetField(value.ToString());

DescriptionAttribute[] attributes =
(DescriptionAttribute[])fi.GetCustomAttributes(
typeof(DescriptionAttribute), false);

if (attributes != null && attributes.Length > 0)
return attributes[0].Description;
else
return value.ToString();
}

/// <summary>
/// Add a Share on a folder.
/// </summary>
/// <param name="folderPath">Path of the folder to be shared.</param>
/// <param name="shareName">Name to be given to the share.</param>
/// <param name="description">Description to be set on the share.</param>
/// <param name="securityDescriptor">Security to be set on the share, including username and access rights.</param>
/// <remarks>The folder is created if it does not yet exist.</remarks>
internal static void AddSharedFolder(string folderPath,
string shareName, string description,
ManagementObject securityDescriptor)
{
try
{
// Create the folder if required
var folder = new DirectoryInfo(folderPath);
if (!folder.Exists) folder.Create();

// Create a ManagementClass object
ManagementClass managementClass = new ManagementClass("Win32_Share");

// Create ManagementBaseObjects for in and out parameters
ManagementBaseObject inParams =
managementClass.GetMethodParameters("Create");
ManagementBaseObject outParams;

// Set the input parameters
inParams["Description"] = description;
inParams["Name"] = shareName;
inParams["Path"] = folderPath;
inParams["Type"] = ShareType.DiskDrive;
//inParams["MaximumAllowed"] = 20;
inParams["Password"] = null;
inParams["Access"] = securityDescriptor;

// Invoke the "create" method on the ManagementClass object
outParams = managementClass.InvokeMethod("Create", inParams, null);

// Check the result
var result =
GetMethodStatus(outParams.Properties["ReturnValue"].Value);
Console.WriteLine("Create Share: " + result.GetDescription());
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex.Message);
}
}

/// <summary>
/// Get security settings required to grant access rights on Files of Folders to a user account.
/// </summary>
/// <param name="domain">Domain of the User account</param>
/// <param name="username">Name of the User account.</param>
/// <param name="accessMask">Requested Access Rights.</param>
/// <returns>A security Descriptor with the requested access right for the provided user account.</returns>
internal static ManagementObject GetSecurityDescriptor(string domain, string username, object accessMask)
{
var everyoneAccount = new NTAccount(domain, username);
var sid = everyoneAccount.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
var sidArray = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidArray, 0);

ManagementObject everyone = new ManagementClass("Win32_Trustee");
everyone["Domain"] = domain;
everyone["Name"] = username;
everyone["SID"] = sidArray;

ManagementObject dacl = new ManagementClass("Win32_Ace");
dacl["AccessMask"] = accessMask;
dacl["AceFlags"] = AceFlags.OBJECT_INHERIT_ACE | AceFlags.CONTAINER_INHERIT_ACE;
dacl["AceType"] = AceType.Access_Allowed;
dacl["Trustee"] = everyone;

ManagementObject securityDescriptor = new ManagementClass("Win32_SecurityDescriptor");
securityDescriptor["ControlFlags"] = ControlFlags.SE_DACL_PRESENT;
securityDescriptor["DACL"] = new object[] { dacl };
return securityDescriptor;
}

/// <summary>
/// Delete a Share.
/// </summary>
/// <param name="shareName">The name of the share to be deleted.</param>
internal static void RemoveSharedFolder(string shareName)
{
try
{
// Create a ManagementClass object
ManagementClass managementClass = new ManagementClass("Win32_Share");

// Get all existing shares and find the one to be deleted
ManagementObjectCollection shares = managementClass.GetInstances();
foreach (ManagementObject share in shares)
{
if (Convert.ToString(share["Name"]).Equals(shareName, StringComparison.InvariantCultureIgnoreCase))
{
// Invoke the "delete" method on the Share object
var outParams = share.InvokeMethod("Delete", new object[] { });

// Check the Result
var result = GetMethodStatus(outParams);
Console.WriteLine("Delete Share: " + result.GetDescription());

break;
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex.Message);
}
}

private static MethodStatus GetMethodStatus(object outParams)
{
MethodStatus result = MethodStatus.UnknownFailure;
Enum.TryParse<MethodStatus>(Convert.ToString(outParams), out result);
return result;
}
}
}
[/csharp]

And here is a code sample I am using:

[csharp] var path = @"C:\Users\Public\Documents\SomeFolder";

var folder = new DirectoryInfo(path);
if (!folder.Exists) folder.Create();

ManagementHelper.RemoveSharedFolder("MyShare");

// Get the security Descriptor
ManagementObject securityDescriptor = ManagementHelper.GetSecurityDescriptor(null, "everyone", ManagementHelper.FolderAccessFullControl);

// Create the Share
ManagementHelper.AddSharedFolder(path, "MyShare", "My Shared Folder", securityDescriptor);
[/csharp]

Loading


Categories:

Tags:


Comments

2 responses to “Create a Shared Folder and Set permissions in C#”

  1. Dave Avatar
    Dave

    Hi,
    I’m using a domain admin credential to create a folder share with read write access. I tried to use what you posted above but it comes back with access denied.
    I may be doing something wrong – but I’m calling your code as such:
    ManagementHelper.AddSharedFolder(@”p:\Archive05″,”Archive05″,”Archive”,(ManagementHelper.GetSecurityDescriptor(“Capitals”,”DGiles”,ManagementHelper.FolderAccessMask.WRITE_OWNER)));
    I would appreciate your feedback.

    Thanks,

    David

    1. Valery Letroye Avatar

      I don’t see what could be wrong in your call. But I am right now on vacation and can’t access my code to double check my own call. I will do next week.

      Is your code running with an account granted adequate rights to create a shared folder ?
      And did you succeed to create the shared folder with that account using Windows Explorer?

      [EDIT] Et voilà, back from holidays :(…
      I have added in my post above a code sample based on what I am doing concretely.
      There is a priori nothing wrong in your code.

Leave a Reply to Anonymous Cancel reply

Your email address will not be published. Required fields are marked *