I am trying to modify an existing ACL in a directory (and its subdirectories) to remove write access for the Users built-in group. A directory inherits this particular right from the parent directory. I tried using AtlSetDacl () to set a new ACL, but that does not eliminate the inherited write permission. Fragment:
ATL::CDacl dacl;
ATL::AtlGetDacl(directoryName.c_str(), SE_FILE_OBJECT, &dacl);
UINT aceCount = dacl.GetAceCount();
ATL::CDacl newDacl;
for (UINT i = 0; i < aceCount; ++i)
{
ATL::CSid sid;
ACCESS_MASK mask = 0;
BYTE flags = 0;
dacl.GetAclEntry(i,
&sid,
&mask,
(BYTE*) 0,
&flags);
if (sid != Sids::Users())
newDacl.AddAllowedAce(sid, mask, flags);
}
newDacl.AddAllowedAce(Sids::Users(),FILE_LIST_DIRECTORY | FILE_READ_EA | FILE_EXECUTE | FILE_READ_ATTRIBUTES, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
AtlSetDacl(directoryName.c_str(), SE_FILE_OBJECT, newDacl);
I also tried SetNamedSecurityInfo () and its associated APIs to erase the existing ACL and create a new one, but no luck here either. It doesn't seem like it should be so complicated. Using cacls.exe is a piece of cake (unfortunately, this is not an option for me). Any ideas on how to do this?
source
share