Geek Answers Handbook

Directory Permission Store in C #

I created a program that tracks the directory (e.g. \\server\share\folderXYZ ) for changed events (e.g. created, deleted, renamed and permission changes). I also received a notification if something has changed, but I can’t get accurate information about what has changed.

For example, I changed the permission for the above directory to the folder properties (Properties β†’ Security β†’ Change β†’ Add a new user or group or change the permission for users and groups). The file system observer gives a notification if something has changed, but I cannot get other data, for example:

  • For which user rights has been changed?
  • Who changed the user permissions?
  • If a new group is added (it is necessary that all users in the group add a new group)?
  • If any new user is added to the group and who has added and should receive additional user data?
  • If a user or group is deleted, what is the information about the group or user deleted?
  • If any permission is added or changed for a user, what are some permissions added or changed?
  • If any permission is changed for the group, what is the change allowed?

Example Scenarios:

Action: at 11:00 the administrator added user A to the trainees (existing group)

Expected Result:
Access to \\server\share\folderXYZ changed: User A now has read access granted by the administrator at 11:00, because now he is a member of the interns who has read access.

The question of hope is clear. I did a lot of searching and could not find a solution. Please let me know if any API or Service or any alternatives are available.

-Thanks

+7
source share
2 answers

The way to get the information you want is to use Windows Security Auditing, especially. because you want to know who made the change, not just what has changed.

The following code (and settings) produces the following output:

11-07-2011 17:43:10: "Fujitsu \ Grynn" changed the security descriptor in the file "C: \ Users \ Grynn \ Documents \ ExcelTools \ test.txt"


"D: AI (A ;; 0x1200a9 ;;; BU) (A; ID; FA ;;; S-1-5-21-559386011-2179397067-1987725642-1000) (A; ID; FA ;;; SY) (A; ID; FA ;;; BA) '
to
"D: ARAI (A; ID; FA ;;; S-1-5-21-559386011-2179397067-1987725642-1000) (A; ID; FA ;;; SY) (A; ID; FA ;;; B .BUT. ) '
using 'C: \ Windows \ explorer.exe'

12-07-2011 17:55:10: "Fujitsu \ Grynn" changed the security descriptor to the file "C: \ Users \ Grynn \ Documents \ ExcelTools \ test.txt"


"D: AI (A; ID; FA ;;; S-1-5-21-559386011-2179397067-1987725642-1000) (A; ID; FA ;;; SY) (A; ID; FA ;;; B .BUT. ) '
to
"D: ARAI (D ;; FA ;;; S-1-5-21-559386011-2179397067-1987725642-1001) (A; ID; FA ;;; S-1-5-21-559386011-2179397067-1987725642 -1000) (A; ID; FA ;;; SY) (A; ID; FA ;;; BA) '
using 'C: \ Windows \ explorer.exe'

Enabling auditing has 2 steps:

1. Use gpedit.msc to enable "Access Audit Object" Group policy

2. Change the "Audit" for the folder that you want to view Auditing Entry for an example folder 'ExcelTools'

Now, whenever a file system change event (or via polling) occurs, request a security event log.

Code for querying the security event log:

 var props = new EventLogPropertySelector(new string[] { "Event/System/TimeCreated/@SystemTime", "Event/EventData/Data[@Name='SubjectDomainName']", "Event/EventData/Data[@Name='SubjectUserName']", "Event/EventData/Data[@Name='ObjectName']", "Event/EventData/Data[@Name='OldSd']", "Event/EventData/Data[@Name='NewSd']", "Event/EventData/Data[@Name='ProcessName']" }); using (var session = new System.Diagnostics.Eventing.Reader.EventLogSession()) { //4670 == Permissions on an object were changed var q = new EventLogQuery("Security", PathType.LogName, "*[System[(EventID=4670)]]"); q.Session = session; EventLogReader rdr = new EventLogReader(q); for (EventRecord eventInstance = rdr.ReadEvent(); null != eventInstance; eventInstance = rdr.ReadEvent()) { var elr = ((EventLogRecord)eventInstance); Console.WriteLine( "{0}: '{1}\\{2}' changed security descriptor on file '{3}' from \n'{4}' \nto \n'{5}' \nusing '{6}'\n----\n", elr.GetPropertyValues(props).ToArray()); } }
+2
source

From what I know / read, FileSystemWatcher can only report a file that has been affected along with the type of change.

One way is to save the cache of file attributes that interest you, if there is an event notifying you of a change, you request a cache to receive the changes and update it as necessary.

+1
source

More articles:


All Articles