Add read permission for all administrators to a copied file - windows

Problem is simple my application copies some file from one location to another.
File at destination folder should be readable by all administrators of computer without elevating privileges.
I've found an API which should do it:
SetNamedSecurityInfoW
SetKernelObjectSecurity
But I'm not fluent with Windows API and this security API is quite complex, so I need help ho to use this API.
Main problem I have is how to get psidGroup? Other stuff is obvious or I can just provide a NULL.
Or is there a better API so I can add this read permission for administrators while file is copied?

psidGroup in SetNamedSecurityInfo is used to change owner or group of the file. There is an example on msdn, get the old Security Info first, then modify(SetEntriesInAcl) and submit(SetNamedSecurityInfo). If you want to set the permission of the a group, set the EXPLICIT_ACCESS.Trustee.TrusteeType to TRUSTEE_IS_GROUP, then you can set the a permission for a group.

Related

windows permission on folder to let a specific user create modify and read file but nobody can delete any file (file shared via an ad)

I would like to set the permission on the folder C:\Share\Project\Project1 (and the previous one if needed) to let a specific user "Bob" create modify and read files but I don't want anybody to be able to delete files. Those folder are shared via an ad and Bob acces them following this path \WIN-SRV1\Share\Project\Project 1. I have all the permission on those deviceS both Bob and the hosting server are on windows.
I think i tried every advanced security permission settings for david and everyone etc, and advanced shared setting
Thank you in advance:)

Windows Share Permissions for Domain Admins not working

I'm setting up a new share that I've enabled enumerated access on. I'm looking to limit people access to files on a certain folder. I've setup other folders that restrict access unless your in a security group. This folder thats giving me trouble was copied over from another network share. When I create a folder from scratch everything works fine so I'm curious if thats whats giving me issues.
The folder I'm trying to access is
x:/Limerock/Projects/"Project Name"
If I go into the security tab and check my effective access it says that I have full control:
The user I'm signed into is joe.jankowiak which is part of the Domain Admins security group. Domain Admins owns all the folders in above this and has full control.
When trying to enter the folder it tells me I need to request permission. I'm an admin so it goes through and adds "joe.jankowiak" to the full control list in the security permissions.
Why is it not taking my domain admin credentials to enter this folder? I'm seeing other weird behavior such as it saying "Unable to display current owner." and "You must have read permissions to view the properties of this object". Clicking continue lets me see it.
Everything looks right, I've setup 6 other new folders in the exact same manner and they work fine. I've signed in and out many times but it hasn't fixed it. Weird enough, another computer I signed into lets me access the folder just fine. Is there a way to reload file permissions since logging in/out doesn't seem to do it. Is there a command like gpupdate that I should run?
I have seen this before andyou might need to do the following operations in order:
-Replace Ownership on the folder and replace all child object ownership too=>apply or OK
-Close the security properties and re-open it again
-Add Domain Admins as full control and Replace all child object permissions... =>apply/OK
That should do it

audit folder which group gives you access

https://www.online-tech-tips.com/windows-xp/how-to-track-and-monitor-who-and-when-someone-accesses-a-folder-on-your-computer/
i followed this guide to add auditing to a specific folder. I added "Everyone" to the audit users.
When i now change something on the folder (create a folder) and see activity in the windows event log.
But where can i read which group gave me access to the specific folder?
Is see stuff like this : D:(A;OICI;FA;;;WD) on Access Reason.
Is there some kind of cryptic translation of the "EveryOne" "Group"
What i need to know basically; Which users are using a specific directory and have access because they are in "EveryOne"
We want to remove "EveryOne" from a specific folder, but need to know which users are using the "group", so we can put them in a Different Group
The above text is formatted using the Security Descriptor Definition Language (SDDL https://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx). Refer https://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx to decode your sddl string.
'D:' stands for DACL is changed or created.
The number of parantheses pairs denotes number of the number access control entries added or modified.(in this case 1).
OICI - This indicates that the ACE applies to this folder, its files and its subfolders.
FA denotes what permission is actually provided (All Access).
Finally WD stands for 'Everyone'.
Also refer https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/

Create user independent logfiles in C:\ProgramData

I would like to create logfiles for my application in an user independent lactation. AFAIK C:\ProgramData is good place for that.
I've tried it this way:
if not DirectoryExists('C:\ProgramData\MyApp') then
CreateDirectory('C:\ProgramData\MyApp', nil);
LogFileStream := TFileStream.Create('C:\ProgramData\MyApp\LogFile01.txt', fmCreate, (fmOpenRead or fmShareDenyNone));
The problem with this approach is that the created filed does not have Authenticated Users nor Everyone in Properties->Security->Group or user names.
This results in other users being unable to modify the created files.
But how can I achieve this, also other users being albe to modify the created files.
I think it must be possible to have files with this permission there. Some files do have this permission e.g. C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone *.wav
Maybe either in
1.) somehow creating a 'MyApp' folder in C:\ProgramData with Authenticated Users or Everyone permission which would result in TFileStream automatically creating files with the same permission or
2.) somehow telling TFileStream to create the files with the required permission or
3.) somehow changing the files permission with some API function after its creation or
4.) some other way??
The default permissions in C:\ProgramData, aka FOLDERID_ProgramData allow any user to create new files and folders. However, only the user who creates the file or folder has permission to write to it.
So, if you wish to allow any user to modify objects under FOLDERID_ProgramData then you need to add a permissive ACL to grant those rights. You would typically do that when you installed your program. Create a folder under FOLDERID_ProgramData and add an ACL to grant rights to whichever class of users you wish to allow full access.
As an aside, clearly you should not be hard coding C:\ProgramData, but instead using FOLDERID_ProgramData with the known folder API. I guess the code in the question is just for testing, and your real program code does it correctly.

Google Drive api scope and file access (drive vs drive.files)

I have created two refresh tokens for me:
one for
SCOPE = 'https://www.googleapis.com/auth/drive'
and another
SCOPE = 'https://www.googleapis.com/auth/drive.file'
I'm trying to get information about files (using get method)
Some files I can get when using SCOPE drive.files, and some only when using wider scope drive
But I can not figure out what is the reason for that? Files are located in different folders but have one shared root folder.
The difference is that 'drive.file' only gives you permission to files that your app has created or the user has explicitly shared with your app, whereas 'drive' gives your app permission to see the all the files in the user's drive.
See
https://developers.google.com/drive/web/scopes
You should really look into using drive.file, that is where they are trying to push users. I was just fighting with this myself and found that if you use the drive.file scope, you can then subsequently open the file that is chosen using the API for the file type, but only if you set the correct AppID.
See here: https://developers.google.com/picker/docs/#gdata
This allows you to get past the 404 error that you get if you don't set the AppID.

Resources