I have been running into errors when try to add directory security, with an error of:

System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.

 

Thanks for http://stackoverflow.com/questions/8126827/how-do-you-programmatically-fix-a-non-canonical-acl

I got my code as follow:

  static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
            {
                if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); }
                if (objectSecurity.AreAccessRulesCanonical) { return; }

                // A canonical ACL must have ACES sorted according to the following order:
                //   1. Access-denied on the object
                //   2. Access-denied on a child or property
                //   3. Access-allowed on the object
                //   4. Access-allowed on a child or property
                //   5. All inherited ACEs 
                RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));

                List<CommonAce> implicitDenyDacl = new List<CommonAce>();
                List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>();
                List<CommonAce> inheritedDacl = new List<CommonAce>();
                List<CommonAce> implicitAllowDacl = new List<CommonAce>();
                List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>();

                foreach (CommonAce ace in descriptor.DiscretionaryAcl)
                {
                    if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); }
                    else
                    {
                        switch (ace.AceType)
                        {
                            case AceType.AccessAllowed:
                                implicitAllowDacl.Add(ace);
                                break;

                            case AceType.AccessDenied:
                                implicitDenyDacl.Add(ace);
                                break;

                            case AceType.AccessAllowedObject:
                                implicitAllowObjectDacl.Add(ace);
                                break;

                            case AceType.AccessDeniedObject:
                                implicitDenyObjectDacl.Add(ace);
                                break;
                        }
                    }
                }

                Int32 aceIndex = 0;
                RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
                implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
                implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
                implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
                implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
                inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));

                if (aceIndex != descriptor.DiscretionaryAcl.Count)
                {
                    System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information");
                    return;
                }

                descriptor.DiscretionaryAcl = newDacl;
                objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
            }  
public static bool AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights)
            {
                try
                {
                    // Create a new DirectoryInfo object.
                    DirectoryInfo dInfo = new DirectoryInfo(FileName);

                    // Get a DirectorySecurity object that represents the  
                    // current security settings.
                    DirectorySecurity dSecurity = dInfo.GetAccessControl();
                    CanonicalizeDacl(dSecurity);
                    // Add the FileSystemAccessRule to the security settings. 
                    dSecurity.ResetAccessRule(new FileSystemAccessRule(Account,
               Rights, AccessControlType.Allow));
                    dSecurity.AddAccessRule(new FileSystemAccessRule(Account,
                Rights,
                InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                PropagationFlags.InheritOnly,
                AccessControlType.Allow));

                    /*
                    dSecurity.AddAccessRule(new FileSystemAccessRule(Account,
                                                                    Rights,
                                                                    ControlType));
                    */


                    // Set the new access settings.
                    dInfo.SetAccessControl(dSecurity);
                    return true;
                }
                catch (Exception E)
                {
                    Console.WriteLine(E.ToString());
                    return false;
                }


            }

 

 

About Lei

I am an IT specialist with over 10 year experience - years on Automation, on-Premise or Azure.

I am happy to develop however never want be a full time developer. Only do what I have to do. If it has to be PowerShell,HTML, PHP, CSS, C#, VBS or JS, front end or backend, so be it, doesn't matter!

Spent years with Windows, SCCM, SharePoint, SQL and Exchange servers. For last several years, I have been actively working under On Premise > Azure environment.

THERE IS NO WAY BACK!!!

Current Certificates:
    Microsoft® Certified-
  • -Enterprise Administrator
  • -Database Administrator
  • -SharePoint Administrator
  • -Administering and Deploying SCCM 2012
Red Hat Certified Technician
ITIL V3 Foundation - Practitioner

Working on Azure Certificates now and hopefully they can stop upgrading their questions one day! GIVE ME A BREAK!

Contact Lei

Name *
Email *
Comments *

Traffic since 10/08/2016

Today45
Yesterday83
This week669
This month1965
Total416325

Visitor Info

  • IP: 54.163.210.170
  • Browser: Unknown
  • Browser Version:
  • Operating System: Unknown

Who Is Online

2
Online

2017-12-17

Login