Copying directory permissions with C#

Question

I need to copy security permissions from one folder to a bunch of folders.

I need to change permission to a big number of sub-folders. I would like to copy permissions from existing folder, which has the correct security settings. The code runs without errors, but nothing changes. If I create a copy of the existing folder, the permissions are OK.

DirectorySecurity permissions = Directory.GetAccessControl(srcFolder);

foreach (var subfolder in Directory.GetDirectories(containingFolder, "*", SearchOption.TopDirectoryOnly))
{             
    Directory.SetAccessControl(subfolder, permissions);  // no change
    Directory.CreateDirectory(subfolder + "_copy", permissions); // new folder has permissions as expected                          
}

I would expect that all subfolder in containingFolder would have the same permissions as srcFolder .

Answer 1

Sinatr provided the following link that describes why your code does not work and how to fix it. I notice the link references the top of the page and not the remarks section. This is the section that contains the information you require. Listed below is the correct link.

Directory.SetAccessControl Method Remarks

For future readers, I will summarize here what the documentation states and provide a small code sample.

First the issue

You cannot directly use a DirectorySecutrity object from one file/folder and apply it to another file/folder using just GetAccessControl/SetAccessControl.

From Microsoft:

The SetAccessControl method persists only DirectorySecurity objects that have been modified after object creation. If a DirectorySecurity object has not been modified, it will not be persisted to a file. Therefore, it is not possible to retrieve a DirectorySecurity object from one file and reapply the same object to another file.

Now the solution

Here are the steps, outline by Microsoft, that will allow you to copy security information from one file or folder to another. Note the comments are from the documentation, the code is from my test program.

using System.Security.AccessControl;
using System.IO;
. . . . 

string srcFolder = @"d:\srcFolder", desFolder = @"d:\desFolder";
byte[] securityDescriptor = null;


// Step 1: Use the GetAccessControl method to retrieve the
// DirectorySecurity object from the source file.
DirectorySecurity srcPermissions = Directory.GetAccessControl(srcFolder);

// Step 2: Create a new DirectorySecurity object for the destination file.
DirectorySecurity desPermissions = new DirectorySecurity();


// Step 3: Use the GetSecurityDescriptorBinaryForm method of the
// source DirectorySecurity object to retrieve the ACL information.
securityDescriptor = srcPermissions.GetSecurityDescriptorBinaryForm();

// Step 4: Use the SetSecurityDescriptorBinaryForm method to copy the
// information retrieved in step 3 to the destination
// DirectorySecurity object.
desPermissions.SetSecurityDescriptorBinaryForm(securityDescriptor);

// Step 5: Set the destination DirectorySecurity object to the
// destination file using the SetAccessControl method.
Directory.SetAccessControl(desFolder, desPermissions);

To test this, I create two folders. One called srcFolder and the other call desFolder. On the desFolder I remove all permissions except for my user account. Note at least one group or user account is required to be present that grants access.