Jump to content

Volume ACL on Vista.

Guest Jean-Paul Blanc

By Guest Jean-Paul Blanc
in Techno Babble

 Share

Recommended Posts

Guest Jean-Paul Blanc

Guest Jean-Paul Blanc

Posted
Posted

Hi,

 

I wrote a small program using QueryDosDevice(...) API to get the volume name

associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...)

and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can

allow or deny users or groups to acces to the Unit. This is done dynamicaly

by a service detecting the unit arrival.

 

To be clear, the same thing can be done with :

 

SetNamedSecurityInfo ("\\\\.\\A:",

SE_FILE_OBJECT,

DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,

NULL,

NULL,

paclNew,

NULL);

 

"\\.\A:" allow to open a volume and not the root of the unit as documented

in API CreateFile(...).

 

This works well on XP. On Vista it's different. The DACL on volume still

works for CDROM and Floppy, but it's no longer working for disk (removal or

not). On disks the DACL on volume just allow/deny the format.exe or

checkdisk;exe commands.

 

When i have a look to Microsoft documentation Removable storage device and

Windows Vista support"

(http://www.microsoft.com/whdc/device/stora...mstorperms.mspx) the "File

System Stack" being onthe top of "Volume Manager stack", ACL on Volume

should lock users access. The tool "Device tree V2.19" from OSR company

(http://www.osronline.com/) show the file system driver on the top of the

volume driver.

 

Sure i miss something. Anybody an explain what ? and how I can progamaticaly

, on Vista give ACL right to volumes. I saw that GPO allows to put default

ACLs on drivers class, is it the way ?

 

Thanks in advance.

 

JP

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest H Brown

Guest H Brown

Posted
Posted

"Jean-Paul Blanc" <jean-paul_blanc@dumysilogix-fr.com> wrote in message

news:49afaa0a$0$11792$426a34cc@news.free.fr...<span style="color:blue">

> Hi,

>

> I wrote a small program using QueryDosDevice(...) API to get the volume

> name associated to an unit name (A:, B:, C: etc.). I, then, use

> CreateFile(...) and SetSecurityInfo(...) to modifie the DACL of the

> volume, so that I can allow or deny users or groups to acces to the Unit.

> This is done dynamicaly by a service detecting the unit arrival.

>

> To be clear, the same thing can be done with :

>

> SetNamedSecurityInfo ("\\.\A:",

> SE_FILE_OBJECT,

>

> DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,

> NULL,

> NULL,

> paclNew,

> NULL);

>

> "\.A:" allow to open a volume and not the root of the unit as documented

> in API CreateFile(...).

>

> This works well on XP. On Vista it's different. The DACL on volume still

> works for CDROM and Floppy, but it's no longer working for disk (removal

> or not). On disks the DACL on volume just allow/deny the format.exe or

> checkdisk;exe commands.

>

> When i have a look to Microsoft documentation Removable storage device and

> Windows Vista support"

> (http://www.microsoft.com/whdc/device/stora...mstorperms.mspx) the "File

> System Stack" being onthe top of "Volume Manager stack", ACL on Volume

> should lock users access. The tool "Device tree V2.19" from OSR company

> (http://www.osronline.com/) show the file system driver on the top of the

> volume driver.

>

> Sure i miss something. Anybody an explain what ? and how I can

> progamaticaly , on Vista give ACL right to volumes. I saw that GPO allows

> to put default ACLs on drivers class, is it the way ?

>

> Thanks in advance.

>

> JP

></span>

 

Hi, Jean-Paul Blanc

A few things have changed in Windows Vista from how they worked with

Windows XP.

The articles at the links listed below are a must read and will no doubt

answer your question.

 

The fundamental structure of access control lists (ACLs) has not changed

much for Windows Vista, but there are a number of small yet important

changes you need to be aware of.

http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx

 

Of course Windows it pro dot com has very good articles that you $hould

find very useful.

http://windowsitpro.com/article/articleid/...way.htmlTechNet IT Professional Community is also a good source IT information. http://technet.microsoft.com/en-us/magazine/bb291006.aspxH Brown

Guest H Brown

Guest H Brown

Posted
Posted

"H Brown" <karenandhallie@msn.com> wrote in message

news:OehVtNnoJHA.3984@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

>

>

> "Jean-Paul Blanc" <jean-paul_blanc@dumysilogix-fr.com> wrote in message

> news:49afaa0a$0$11792$426a34cc@news.free.fr...<span style="color:green">

>> Hi,

>>

>> I wrote a small program using QueryDosDevice(...) API to get the volume

>> name associated to an unit name (A:, B:, C: etc.). I, then, use

>> CreateFile(...) and SetSecurityInfo(...) to modifie the DACL of the

>> volume, so that I can allow or deny users or groups to acces to the Unit.

>> This is done dynamicaly by a service detecting the unit arrival.

>>

>> To be clear, the same thing can be done with :

>>

>> SetNamedSecurityInfo ("\.A:",

>> SE_FILE_OBJECT,

>>

>> DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,

>> NULL,

>> NULL,

>> paclNew,

>> NULL);

>>

>> ".A:" allow to open a volume and not the root of the unit as

>> documented in API CreateFile(...).

>>

>> This works well on XP. On Vista it's different. The DACL on volume still

>> works for CDROM and Floppy, but it's no longer working for disk (removal

>> or not). On disks the DACL on volume just allow/deny the format.exe or

>> checkdisk;exe commands.

>>

>> When i have a look to Microsoft documentation Removable storage device

>> and Windows Vista support"

>> (http://www.microsoft.com/whdc/device/stora...mstorperms.mspx) the

>> "File System Stack" being onthe top of "Volume Manager stack", ACL on

>> Volume should lock users access. The tool "Device tree V2.19" from OSR

>> company (http://www.osronline.com/) show the file system driver on the

>> top of the volume driver.

>>

>> Sure i miss something. Anybody an explain what ? and how I can

>> progamaticaly , on Vista give ACL right to volumes. I saw that GPO

>> allows to put default ACLs on drivers class, is it the way ?

>>

>> Thanks in advance.

>>

>> JP

>></span>

>

> Hi, Jean-Paul Blanc

> A few things have changed in Windows Vista from how they worked with

> Windows XP.

> The articles at the links listed below are a must read and will no doubt

> answer your question.

>

> The fundamental structure of access control lists (ACLs) has not changed

> much for Windows Vista, but there are a number of small yet important

> changes you need to be aware of.

> http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx

>

> Of course Windows it pro dot com has very good articles that you $hould

> find very useful.

> http://windowsitpro.com/article/articleid/...way.htmlTechNet

> IT Professional Community is also a good source IT information.

> http://technet.microsoft.com/en-us/magazine/bb291006.aspxH Brown</span>

 

Sorry, correction to last line should read

TechNet IT Professional Community is also a good source IT information.

http://technet.microsoft.com/en-us/magazine/bb291006.aspx

 

H Brown

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...