Herman
Well-known member
I have been tasked with writing a small tool to automate the creation of TS profiles on our server. After creating the users, groups, and UPN suffix through the domain controller's AD, I have to create a skeleton folder structure for the user, with appropriate permissions. I have the following code, please let me know if you spot the solution... The problem is explained in the comments:
 
	
		
			
		
		
	
				
			    Public Sub CreateFolders(ByVal domain As String)
        Dim diHosted As New DirectoryInfo("\\" & ServerAddress & "\Hosted")
        Dim diCompany = diHosted.CreateSubdirectory(domain)
        Dim diCommon = diCompany.CreateSubdirectory("Common")
        Dim diProfiles = diCompany.CreateSubdirectory("Profiles")
        Dim diUsers = diCompany.CreateSubdirectory("Users")
        Dim de = GroupPrincipal.FindByIdentity(GetPrincipalContext("OU=Groups,OU=" & domain & ",OU=Hosted,DC=mydomain,DC=com"), domain & "-Security-Group")
        ' This part works fine. The correct permissions are applied and the correct permissions are inherited.
        Dim acl As DirectorySecurity = diCompany.GetAccessControl()
        With acl
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.AppendData, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.CreateDirectories, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.CreateFiles, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Delete, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ExecuteFile, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ListDirectory, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Modify, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Read, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ReadAndExecute, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ReadAttributes, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ReadData, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ReadExtendedAttributes, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.ReadPermissions, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Synchronize, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Traverse, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Write, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.WriteAttributes, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.WriteData, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.WriteExtendedAttributes, AccessControlType.Allow))
        End With
        diCompany.SetAccessControl(acl)
        ' For these subfolders, I need to have only the three permissions listed here for the group. The rest
        ' of the permissions applied above should NOT be inherited here. However I DO need the other inherited
        ' permissions (from the parent`s parent). I know I can protect this ACL from inheriting through
        ' .SetAccessRuleProtection(True, False), but that is no good as I need to keep the inherited permissions
        ' from everyone else except the group represented by de.Sid.
        acl = diProfiles.GetAccessControl()
        With acl
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.AppendData, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.CreateDirectories, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Traverse, AccessControlType.Allow))
        End With
        diProfiles.SetAccessControl(acl)
        acl = diUsers.GetAccessControl()
        With acl
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.AppendData, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.CreateDirectories, AccessControlType.Allow))
            .AddAccessRule(GetFileSystemAccessRule(de.Sid, FileSystemRights.Traverse, AccessControlType.Allow))
        End With
        diUsers.SetAccessControl(acl)
    End Sub
    Private Function GetFileSystemAccessRule(ByVal sid As Security.Principal.SecurityIdentifier, ByVal right As FileSystemRights, ByVal access As AccessControlType) As FileSystemAccessRule
        Return New FileSystemAccessRule(sid, right, InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
    End Function
 
	 
 
		 
 
		 
 
		 
 
		 
 
		