DirectorySecurity Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Represents the access control and audit security for a directory. This class cannot be inherited.
public ref class DirectorySecurity sealed : System::Security::AccessControl::FileSystemSecurity
public sealed class DirectorySecurity : System.Security.AccessControl.FileSystemSecurity
[System.Security.SecurityCritical]
public sealed class DirectorySecurity : System.Security.AccessControl.FileSystemSecurity
type DirectorySecurity = class
inherit FileSystemSecurity
[<System.Security.SecurityCritical>]
type DirectorySecurity = class
inherit FileSystemSecurity
Public NotInheritable Class DirectorySecurity
Inherits FileSystemSecurity
- Inheritance
-
DirectorySecurity
- Attributes
Examples
The following code example uses the DirectorySecurity class to add and then remove an access control list (ACL) entry from a directory. You must supply a valid user or group account to run this example.
using namespace System;
using namespace System::IO;
using namespace System::Security::AccessControl;
// Adds an ACL entry on the specified directory for the
// specified account.
void AddDirectorySecurity(String^ directoryName, String^ account,
FileSystemRights rights, AccessControlType controlType)
{
// Create a new DirectoryInfo object.
DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity^ dSecurity = dInfo->GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity->AddAccessRule( gcnew FileSystemAccessRule(account,
rights, controlType));
// Set the new access settings.
dInfo->SetAccessControl(dSecurity);
}
// Removes an ACL entry on the specified directory for the
// specified account.
void RemoveDirectorySecurity(String^ directoryName, String^ account,
FileSystemRights rights, AccessControlType controlType)
{
// Create a new DirectoryInfo object.
DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity^ dSecurity = dInfo->GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity->RemoveAccessRule(gcnew FileSystemAccessRule(account,
rights, controlType));
// Set the new access settings.
dInfo->SetAccessControl(dSecurity);
}
int main()
{
String^ directoryName = "TestDirectory";
String^ accountName = "MYDOMAIN\\MyAccount";
if (!Directory::Exists(directoryName))
{
Console::WriteLine("The directory {0} could not be found.",
directoryName);
return 0;
}
try
{
Console::WriteLine("Adding access control entry for {0}",
directoryName);
// Add the access control entry to the directory.
AddDirectorySecurity(directoryName, accountName,
FileSystemRights::ReadData, AccessControlType::Allow);
Console::WriteLine("Removing access control entry from {0}",
directoryName);
// Remove the access control entry from the directory.
RemoveDirectorySecurity(directoryName, accountName,
FileSystemRights::ReadData, AccessControlType::Allow);
Console::WriteLine("Done.");
}
catch (UnauthorizedAccessException^)
{
Console::WriteLine("You are not authorised to carry" +
" out this procedure.");
}
catch (System::Security::Principal::
IdentityNotMappedException^)
{
Console::WriteLine("The account {0} could not be found.", accountName);
}
}
using System;
using System.IO;
using System.Security.AccessControl;
namespace FileSystemExample
{
class DirectoryExample
{
public static void Main()
{
try
{
string DirectoryName = "TestDirectory";
Console.WriteLine("Adding access control entry for " + DirectoryName);
// Add the access control entry to the directory.
AddDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);
Console.WriteLine("Removing access control entry from " + DirectoryName);
// Remove the access control entry from the directory.
RemoveDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);
Console.WriteLine("Done.");
}
catch (Exception e)
{
Console.WriteLine(e);
}
Console.ReadLine();
}
// Adds an ACL entry on the specified directory for the specified account.
public static void AddDirectorySecurity(
string DirectoryName,
string Account,
FileSystemRights Rights,
AccessControlType ControlType
)
{
// Create a new DirectoryInfo object.
DirectoryInfo dInfo = new(DirectoryName);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = dInfo.GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(Account,
Rights,
ControlType));
// Set the new access settings.
dInfo.SetAccessControl(dSecurity);
}
// Removes an ACL entry on the specified directory for the specified account.
public static void RemoveDirectorySecurity(
string DirectoryName,
string Account,
FileSystemRights Rights,
AccessControlType ControlType
)
{
// Create a new DirectoryInfo object.
DirectoryInfo dInfo = new(DirectoryName);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = dInfo.GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity.RemoveAccessRule(new FileSystemAccessRule(Account,
Rights,
ControlType));
// Set the new access settings.
dInfo.SetAccessControl(dSecurity);
}
}
}
Imports System.IO
Imports System.Security.AccessControl
Module DirectoryExample
Sub Main()
Try
Dim DirectoryName As String = "TestDirectory"
Console.WriteLine("Adding access control entry for " + DirectoryName)
' Add the access control entry to the directory.
AddDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)
Console.WriteLine("Removing access control entry from " + DirectoryName)
' Remove the access control entry from the directory.
RemoveDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)
Console.WriteLine("Done.")
Catch e As Exception
Console.WriteLine(e)
End Try
Console.ReadLine()
End Sub
' Adds an ACL entry on the specified directory for the specified account.
Sub AddDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
' Create a new DirectoryInfoobject.
Dim dInfo As New DirectoryInfo(FileName)
' Get a DirectorySecurity object that represents the
' current security settings.
Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()
' Add the FileSystemAccessRule to the security settings.
dSecurity.AddAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))
' Set the new access settings.
dInfo.SetAccessControl(dSecurity)
End Sub
' Removes an ACL entry on the specified directory for the specified account.
Sub RemoveDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
' Create a new DirectoryInfo object.
Dim dInfo As New DirectoryInfo(FileName)
' Get a DirectorySecurity object that represents the
' current security settings.
Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()
' Add the FileSystemAccessRule to the security settings.
dSecurity.RemoveAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))
' Set the new access settings.
dInfo.SetAccessControl(dSecurity)
End Sub
End Module
Remarks
The DirectorySecurity class specifies the access rights for a system directory and how access attempts are audited. This class represents access and audit rights as a set of rules. Each access rule is represented by a FileSystemAccessRule object, while each audit rule is represented by a FileSystemAuditRule object.
The DirectorySecurity class is an abstraction of the underlying Windows file security system. In this system, each directory has a discretionary access control list (DACL), which controls access to the directory, and a system access control list (SACL), which specifies the access control attempts that are audited. The FileSystemAccessRule and FileSystemAuditRule classes are abstractions of the access control entries (ACEs) that comprise DACLs and SACLs.
The DirectorySecurity class hides many of the details of DACLs and SACLs; you do not have to worry about ACE ordering or null DACLS.
Use the FileSecurity class to retrieve, add, or change the access rules that represent the DACL and SACL of a file.
The following tables lists the methods you can use to access and maintain directory security.
Task | Methods |
---|---|
Add rules | FileSystemSecurity.AddAccessRule FileSystemSecurity.AddAuditRule |
Remove rules | FileSystemSecurity.RemoveAccessRule FileSystemSecurity.RemoveAuditRule |
Retrieve the access control to a directory | FileSystemAclExtensions.GetAccessControl(DirectoryInfo) DirectoryInfo.GetAccessControl |
Persist the access control to a directory | FileSystemAclExtensions.SetAccessControl(DirectoryInfo, DirectorySecurity) DirectoryInfo.SetAccessControl |
Constructors
DirectorySecurity() |
Initializes a new instance of the DirectorySecurity class. |
DirectorySecurity(String, AccessControlSections) |
Initializes a new instance of the DirectorySecurity class from a specified directory using the specified values of the AccessControlSections enumeration. |
Properties
AccessRightType |
Gets the enumeration that the FileSystemSecurity class uses to represent access rights. (Inherited from FileSystemSecurity) |
AccessRulesModified |
Gets or sets a Boolean value that specifies whether the access rules associated with this ObjectSecurity object have been modified. (Inherited from ObjectSecurity) |
AccessRuleType |
Gets the enumeration that the FileSystemSecurity class uses to represent access rules. (Inherited from FileSystemSecurity) |
AreAccessRulesCanonical |
Gets a Boolean value that specifies whether the access rules associated with this ObjectSecurity object are in canonical order. (Inherited from ObjectSecurity) |
AreAccessRulesProtected |
Gets a Boolean value that specifies whether the Discretionary Access Control List (DACL) associated with this ObjectSecurity object is protected. (Inherited from ObjectSecurity) |
AreAuditRulesCanonical |
Gets a Boolean value that specifies whether the audit rules associated with this ObjectSecurity object are in canonical order. (Inherited from ObjectSecurity) |
AreAuditRulesProtected |
Gets a Boolean value that specifies whether the System Access Control List (SACL) associated with this ObjectSecurity object is protected. (Inherited from ObjectSecurity) |
AuditRulesModified |
Gets or sets a Boolean value that specifies whether the audit rules associated with this ObjectSecurity object have been modified. (Inherited from ObjectSecurity) |
AuditRuleType |
Gets the type that the FileSystemSecurity class uses to represent audit rules. (Inherited from FileSystemSecurity) |
GroupModified |
Gets or sets a Boolean value that specifies whether the group associated with the securable object has been modified. (Inherited from ObjectSecurity) |
IsContainer |
Gets a Boolean value that specifies whether this ObjectSecurity object is a container object. (Inherited from ObjectSecurity) |
IsDS |
Gets a Boolean value that specifies whether this ObjectSecurity object is a directory object. (Inherited from ObjectSecurity) |
OwnerModified |
Gets or sets a Boolean value that specifies whether the owner of the securable object has been modified. (Inherited from ObjectSecurity) |
SecurityDescriptor |
Gets the security descriptor for this instance. (Inherited from ObjectSecurity) |
Methods
AccessRuleFactory(IdentityReference, Int32, Boolean, InheritanceFlags, PropagationFlags, AccessControlType) |
Initializes a new instance of the FileSystemAccessRule class that represents a new access control rule for the specified user, with the specified access rights, access control, and flags. (Inherited from FileSystemSecurity) |
AddAccessRule(AccessRule) |
Adds the specified access rule to the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
AddAccessRule(FileSystemAccessRule) |
Adds the specified access control list (ACL) permission to the current file or directory. (Inherited from FileSystemSecurity) |
AddAuditRule(AuditRule) |
Adds the specified audit rule to the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
AddAuditRule(FileSystemAuditRule) |
Adds the specified audit rule to the current file or directory. (Inherited from FileSystemSecurity) |
AuditRuleFactory(IdentityReference, Int32, Boolean, InheritanceFlags, PropagationFlags, AuditFlags) |
Initializes a new instance of the FileSystemAuditRule class representing the specified audit rule for the specified user. (Inherited from FileSystemSecurity) |
Equals(Object) |
Determines whether the specified object is equal to the current object. (Inherited from Object) |
GetAccessRules(Boolean, Boolean, Type) |
Gets a collection of the access rules associated with the specified security identifier. (Inherited from CommonObjectSecurity) |
GetAuditRules(Boolean, Boolean, Type) |
Gets a collection of the audit rules associated with the specified security identifier. (Inherited from CommonObjectSecurity) |
GetGroup(Type) |
Gets the primary group associated with the specified owner. (Inherited from ObjectSecurity) |
GetHashCode() |
Serves as the default hash function. (Inherited from Object) |
GetOwner(Type) |
Gets the owner associated with the specified primary group. (Inherited from ObjectSecurity) |
GetSecurityDescriptorBinaryForm() |
Returns an array of byte values that represents the security descriptor information for this ObjectSecurity object. (Inherited from ObjectSecurity) |
GetSecurityDescriptorSddlForm(AccessControlSections) |
Returns the Security Descriptor Definition Language (SDDL) representation of the specified sections of the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity) |
GetType() |
Gets the Type of the current instance. (Inherited from Object) |
MemberwiseClone() |
Creates a shallow copy of the current Object. (Inherited from Object) |
ModifyAccess(AccessControlModification, AccessRule, Boolean) |
Applies the specified modification to the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
ModifyAccessRule(AccessControlModification, AccessRule, Boolean) |
Applies the specified modification to the Discretionary Access Control List (DACL) associated with this ObjectSecurity object. (Inherited from ObjectSecurity) |
ModifyAudit(AccessControlModification, AuditRule, Boolean) |
Applies the specified modification to the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
ModifyAuditRule(AccessControlModification, AuditRule, Boolean) |
Applies the specified modification to the System Access Control List (SACL) associated with this ObjectSecurity object. (Inherited from ObjectSecurity) |
Persist(Boolean, String, AccessControlSections) |
Saves the specified sections of the security descriptor associated with this ObjectSecurity object to permanent storage. We recommend that the values of the |
Persist(SafeHandle, AccessControlSections) |
Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend.persist that the values of the |
Persist(SafeHandle, AccessControlSections, Object) |
Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the |
Persist(String, AccessControlSections) |
Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the |
Persist(String, AccessControlSections, Object) |
Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the |
PurgeAccessRules(IdentityReference) |
Removes all access rules associated with the specified IdentityReference. (Inherited from ObjectSecurity) |
PurgeAuditRules(IdentityReference) |
Removes all audit rules associated with the specified IdentityReference. (Inherited from ObjectSecurity) |
ReadLock() |
Locks this ObjectSecurity object for read access. (Inherited from ObjectSecurity) |
ReadUnlock() |
Unlocks this ObjectSecurity object for read access. (Inherited from ObjectSecurity) |
RemoveAccessRule(AccessRule) |
Removes access rules that contain the same security identifier and access mask as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAccessRule(FileSystemAccessRule) |
Removes all matching allow or deny access control list (ACL) permissions from the current file or directory. (Inherited from FileSystemSecurity) |
RemoveAccessRuleAll(AccessRule) |
Removes all access rules that have the same security identifier as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAccessRuleAll(FileSystemAccessRule) |
Removes all access control list (ACL) permissions for the specified user from the current file or directory. (Inherited from FileSystemSecurity) |
RemoveAccessRuleSpecific(AccessRule) |
Removes all access rules that exactly match the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAccessRuleSpecific(FileSystemAccessRule) |
Removes a single matching allow or deny access control list (ACL) permission from the current file or directory. (Inherited from FileSystemSecurity) |
RemoveAuditRule(AuditRule) |
Removes audit rules that contain the same security identifier and access mask as the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAuditRule(FileSystemAuditRule) |
Removes all matching allow or deny audit rules from the current file or directory. (Inherited from FileSystemSecurity) |
RemoveAuditRuleAll(AuditRule) |
Removes all audit rules that have the same security identifier as the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAuditRuleAll(FileSystemAuditRule) |
Removes all audit rules for the specified user from the current file or directory. (Inherited from FileSystemSecurity) |
RemoveAuditRuleSpecific(AuditRule) |
Removes all audit rules that exactly match the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity) |
RemoveAuditRuleSpecific(FileSystemAuditRule) |
Removes a single matching allow or deny audit rule from the current file or directory. (Inherited from FileSystemSecurity) |
ResetAccessRule(AccessRule) |
Removes all access rules in the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object and then adds the specified access rule. (Inherited from CommonObjectSecurity) |
ResetAccessRule(FileSystemAccessRule) |
Adds the specified access control list (ACL) permission to the current file or directory and removes all matching ACL permissions. (Inherited from FileSystemSecurity) |
SetAccessRule(AccessRule) |
Removes all access rules that contain the same security identifier and qualifier as the specified access rule in the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object and then adds the specified access rule. (Inherited from CommonObjectSecurity) |
SetAccessRule(FileSystemAccessRule) |
Sets the specified access control list (ACL) permission for the current file or directory. (Inherited from FileSystemSecurity) |
SetAccessRuleProtection(Boolean, Boolean) |
Sets or removes protection of the access rules associated with this ObjectSecurity object. Protected access rules cannot be modified by parent objects through inheritance. (Inherited from ObjectSecurity) |
SetAuditRule(AuditRule) |
Removes all audit rules that contain the same security identifier and qualifier as the specified audit rule in the System Access Control List (SACL) associated with this CommonObjectSecurity object and then adds the specified audit rule. (Inherited from CommonObjectSecurity) |
SetAuditRule(FileSystemAuditRule) |
Sets the specified audit rule for the current file or directory. (Inherited from FileSystemSecurity) |
SetAuditRuleProtection(Boolean, Boolean) |
Sets or removes protection of the audit rules associated with this ObjectSecurity object. Protected audit rules cannot be modified by parent objects through inheritance. (Inherited from ObjectSecurity) |
SetGroup(IdentityReference) |
Sets the primary group for the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity) |
SetOwner(IdentityReference) |
Sets the owner for the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity) |
SetSecurityDescriptorBinaryForm(Byte[]) |
Sets the security descriptor for this ObjectSecurity object from the specified array of byte values. (Inherited from ObjectSecurity) |
SetSecurityDescriptorBinaryForm(Byte[], AccessControlSections) |
Sets the specified sections of the security descriptor for this ObjectSecurity object from the specified array of byte values. (Inherited from ObjectSecurity) |
SetSecurityDescriptorSddlForm(String) |
Sets the security descriptor for this ObjectSecurity object from the specified Security Descriptor Definition Language (SDDL) string. (Inherited from ObjectSecurity) |
SetSecurityDescriptorSddlForm(String, AccessControlSections) |
Sets the specified sections of the security descriptor for this ObjectSecurity object from the specified Security Descriptor Definition Language (SDDL) string. (Inherited from ObjectSecurity) |
ToString() |
Returns a string that represents the current object. (Inherited from Object) |
WriteLock() |
Locks this ObjectSecurity object for write access. (Inherited from ObjectSecurity) |
WriteUnlock() |
Unlocks this ObjectSecurity object for write access. (Inherited from ObjectSecurity) |
Extension Methods
CreateDirectory(DirectorySecurity, String) |
Creates a directory and returns it, ensuring it is created with the specified directory security. If the directory already exists, the existing directory is returned. |