We are developing the windows executable and need to limit the executable’s access to folders on a shared drive.
We use the CreateRestrictedToken function (SidsToDisable parameter) to deny access to folders for specific groups.
Seems that the deny flag only works on local folders, but does not work on a shared folder.
Here is an example:
The shared folder vm62share has share permissions set to Everyone, full control and security permissions to active directory
group Team-b, full control. This effectively limits access to Users in group Team-b only.
We need to prevent access to a shared folder (vm62share) for the process who’s user is member of group Team-b.
We start the process with a restricted token by using the CreateRestrictedToken function. The
restricted token has a deny flag set on group Team-b. We check the process’s flags using the
The process has a deny flag set for group Team-b
Shared folder only allows access to members of group Team-b
The process can still read/write files in shared folder vm62share.
This is not expected, the process should not have been allowed to read/write
since it has a a deny flag set for group Team-b and there are no additional
permissions allowing access.
If we create a local folder and limit access to group Team-b only, then
the deny flag works as expected (the process with the deny flag is not
able to read/write files in the folder).
Looks as if the deny flag does not have any effect on shared folders.
Can you please explain.