Share via

File System Provider::SetDirectoryAttributes

  • Article

This procedure sets file system properties and Active Directory directory service security attributes for the specified directory. It is used by Microsoft Provisioning Framework (MPF).

Arguments

Input Arguments

The following table describes the input XML elements and attributes. Unless otherwise indicated, the data type is string.

Input Argument Required Description

<dirName>

Yes

Name of the directory.

<sourcePath>

Yes

Path for the directory to retrieve attributes for.

<properties>

No

Encapsulates miscellaneous properties of the directory with four optional attributes.

  • encompress: Enumeration ("encrypt", "compress", "decrypt", or "uncompress").

  • hidden: Enumeration ("true" or "false") that specifies whether the copied file is hidden. The default value is "false".

  • indexing: Enumeration ("true" or "false) that specifies whether an indexing service is allowed to index the copied file. The default value is "false".

  • readOnly: Enumeration ("true" or "false") that specifies whether the copied file is read-only. The default value is "false".

<ace>

No

Access control elements (ACEs) for the directory. Please note that the elements in the ace are a sequence.

Parent:
acl

Children:
permission (minOccurs="1" maxOccurs="*")
mode (minOccurs="1" maxOccurs="1")
trusteeForm (minOccurs="1" maxOccurs="1")
trustee (minOccurs="1" maxOccurs="1")
trusteeType (minOccurs="0" maxOccurs="1")
inheritance (minOccurs="0" maxOccurs="*")
objectTypeName (minOccurs="0" maxOccurs="1")
inheritedObjectTypeName (minOccurs="0" maxOccurs="1")

The segment of input Schema for SetDirectoryAttributes:

<xs:sequence>
                      <xs:element name="permission" type="NonEmptyString" minOccurs="1" maxOccurs="unbounded"/>
                      <xs:element name="mode" type="NonEmptyString" minOccurs="1" maxOccurs="1"/>
                      <xs:element name="trusteeForm" type="NonEmptyString" minOccurs="1" maxOccurs="1"/>
                      <xs:element name="trustee" type="NonEmptyString" minOccurs="1" maxOccurs="1"/>
                      <xs:element name="trusteeType" type="NonEmptyString" minOccurs="0" maxOccurs="1"/>
                      <xs:element name="inheritance" type="NonEmptyString" minOccurs="0" maxOccurs="unbounded"/>
                      <xs:element name="objectTypeName" type="xs:string" minOccurs="0" maxOccurs="1"/>
                      <xs:element name="inheritedObjectTypeName" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>

<permission>

No

Value containing standard, specific, and generic rights. These rights are used in ACEs and are the primary means of specifying the requested or granted access to an object. This value can be either a number or string from any of the following tables. Multiple permission elements can be concatenated by a bitwise OR to create a single value.

Standard and generic permissions (ACCESS_MASK):

0x00010000L DELETE Delete access
0x00020000L READ_CONTROL Read access to the owner, group, and discretionary access control list (DACL) of the security descriptor
0x00040000L WRITE_DAC Write access to the DACL
0x00080000L WRITE_OWNER Write access to owner
0x00100000L SYNCHRONIZE Microsoft Windows NT and Windows 2000: Synchronize access
0x01000000L ACCESS_SYSTEM_SECURITY Access system security (ACCESS_SYSTEM_SECURITY). This flag is not a typical access type. It is used to indicate access to a SACL. This type of access requires the calling process to SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited.
0x02000000L MAXIMUM_ALLOWED Maximum allowed
0x10000000L GENERIC_ALL Generic all
0x20000000L GENERIC_EXECUTE Generic execute
0x40000000L GENERIC_WRITE Generic write
0x80000000L GENERIC_READ Generic read


File system permissions:

0x0001 FILE_LIST_DIRECTORY, FILE_READ_DATA Right to read data from a file. For a directory, the right to list the contents of a directory.
0x0002 FILE_WRITE_DATA Right to write data to a file. For a directory, the right to create a file in a directory.
0x0004 FILE_ADD_SUBDIRECTORY, FILE_APPEND_DATA Right to append data to the file. For a directory, the right to create a subdirectory.
0x0008 FILE_READ_EA Right to read extended attributes.
0x0010 FILE_WRITE_EA Right to write extended attributes.
0x0020 FILE_EXECUTE Right to execute a program.
0x0020 FILE_TRAVERSE Right to execute a file. For a directory, the directory can be traversed.
0x0040 FILE_DELETE_CHILD For a directory, the right to delete a subdirectory.
0x0080 FILE_READ_ATTRIBUTES Right to read file attributes.
0x0100 FILE_WRITE_ATTRIBUTES Right to write file attributes.
0x120089 FILE_GENERIC_READ Combination of permissions.
0x1200A0 FILE_GENERIC_EXECUTE Combination of permissions.
0x120116 FILE_GENERIC_WRITE Combination of permissions.

Parent:
ace

<mode>

No

Specifies a value from the ACCESS_MODE enumeration. For a discretionary access control list (DACL), mode indicates whether the DACL allows or denies the specified access rights. For a system access control list (SACL), mode indicates whether the SACL generates audit messages for successful attempts to use the specified access rights, or failed attempts, or both. When modifying an existing DACL or SACL, specify the REVOKE_ACCESS flag to remove any existing ACEs for the specified trustee. Can be either an ACCESS_MODE string or a number.

1 GRANT_ACCESS The new ACE combines the specified rights with any existing allowed or denied rights of the trustee.
2 SET_ACCESS On input, this flag discards any matching access-control information for the trustee and adds the new ACE. See REVOKE_ACCESS for limitations on what is discarded.
3 DENY_ACCESS On input, this flag denies the specified rights in addition to any currently denied rights of the trustee. It also modifies or deletes any existing access-control information for the trustee that allows the specified rights.
4 REVOKE_ACCESS An input flag that removes matching access-control information for the trustee. When modifying an existing DACL or SACL, specify REVOKE_ACCESS to remove any existing ACEs for the specified trustee. However, note that the operating system typically converts generic permissions to specific ones. Use File System Provider::GetDirectoryAttributes to generate a list of all specific permissions, then SetDirectoryAttributes to revoke individual permissions.

<trusteeForm>

No

Type of value in the trustee node. Specifies a value from the TRUSTEE_FORM enumeration. If an objectTypeName or inheritedObjectTypeName is supplied, it should be either TRUSTEE_IS_OBJECTS_AND_NAME or TRUSTEE_IS_OBJECTS_AND_SID.

0 TRUSTEE_IS_SID trustee is the SID of the trustee.
1 TRUSTEE_IS_NAME trustee is the name of the trustee.
3 TRUSTEE_IS_OBJECTS_AND_SID trustee is the SID of the trustee and either objectTypeName or inheritedObjectTypeName is supplied.
4 TRUSTEE_IS_OBJECTS_AND_NAME trustee is the name of the trustee and either objectTypeName or inheritedObjectTypeName is supplied.

<trustee>

No

Identifies the user, group, or program (such as a Microsoft Win32 service) to which the ACE applies. Can be either a sAMAccountName, LDAP path or security identifier (SID), depending on the value for the trusteeForm node. For TRUSTEE_IS_NAME or TRUSTEE_IS_OBJECTS_AND_NAME, trustee should be a valid sAMAccountName. For TRUSTEE_IS_SID or TRUSTEE_IS_OBJECTS_AND_SID, trustee must be a SID or LDAP path. If trustee begins with "LDAP://", the procedure assumes it is an LDAP path; otherwise, the procedure assumes trustee is a SID in string format. For LDAP path, the procedure gets the objectSid of the object and stores the SID.

Dd278614.note(en-us,TechNet.10).gifNote
sAMAccountName cannot be longer than 20 characters. See SAM-Account-Name Attribute for more information.

<trusteeType>

No

Indicates whether the trustee is a user account, a group account, or the account type is unknown. Specifies a value from the TRUSTEE_TYPE enumeration. The default is TRUSTEE_IS_UNKNOWN.

0 TRUSTEE_IS_UNKNOWN Trustee type is unknown, but not necessarily invalid.
1 TRUSTEE_IS_USER Indicates a user.
2 TRUSTEE_IS_GROUP Indicates a group.
3 TRUSTEE_IS_DOMAIN Indicates an Active Directory or Windows NT domain.
4 TRUSTEE_IS_ALIAS Indicates an alias.
5 TRUSTEE_IS_WELL_KNOWN_GROUP Indicates a well-known group.
6 TRUSTEE_IS_DELETED Indicates a deleted account.
7 TRUSTEE_IS_INVALID Indicates an invalid trustee type.
8 TRUSTEE_IS_COMPUTER Indicates a computer.

<inheritance>

No

Set of bit flags that determines whether other containers or objects can inherit the access control entry (ACE) from the primary object to which the DACL or SACL is attached. This value can be either a number or an AceFlags string (See the following AceFlags table).

The value for this element corresponds to the inheritance portion (low-order byte) of the AceFlags member of the ACE_HEADER structure. This parameter can be NO_INHERITANCE to indicate that the ACE is not inheritable, or it can be a combination of the values from the AceFlags table following the sample code. An ace parent can have multiple inheritance elements whose values are concatenated by a bitwise OR to build a single inheritance value.

The following example creates an ACE with an inheritance value of 3.

<ace> 
  <inheritance>SUB_OBJECTS_ONLY_INHERIT</inheritance> 
  <inheritance>2</inheritance> 
</ace>

AceFlags values:

0x0 NO_INHERITANCE Default. This ACE will not be inherited by other objects.
0x1 SUB_OBJECTS_ONLY_INHERIT Non-container objects contained by the primary object inherit the ACE.
0x2 SUB_CONTAINERS_ONLY_INHERIT Other containers contained by the primary object inherit the ACE.
0x3 SUB_CONTAINERS_AND_OBJECTS_INHERIT Both containers and non-container objects contained by the primary object inherit the ACE.
0x4 INHERIT_NO_PROPAGATE The SUB_OBJECTS_ONLY_INHERIT and SUB_CONTAINERS_ONLY_INHERIT flags are not propagated to an inherited ACE.
0x8 INHERIT_ONLY The ACE does not apply to the primary object to which the DACL or SACL is attached, but objects contained by the primary object inherit the ACE.

<objectTypeName>

No

String that identifies the type of object, property set, or property protected by the ACE. If this ACE is inherited, it identifies the type of object, property set, or property protected by the inherited ACE. If the trusteeForm node is TRUSTEE_IS_OBJECTS_AND_NAME, objectTypeName must be a valid LDAP display name in the Active Directory schema. For TRUSTEE_IS_OBJECTS_AND_SID, this must be an LDAP path or GUID of an extended right. If it begins with "LDAP://", the procedure gets the object and stores the "rightsGUID" of the object. Otherwise, the string must be a GUID string such as "{12345678-1234-1234-1234-123456789abc}". The permission element should be ADS_RIGHT_DS_CONTROL_ACCESS when setting an extended right. There can be at most one of these elements. There is no default value. The procedure will fail if this element exists and trusteeForm is not TRUSTEE_IS_OBJECTS_AND_NAME or TRUSTEE_IS_OBJECTS_AND_SID.

<inheritedObjectTypeName>

No

Type of objects that can inherit the ACE. If the value for the trusteeForm node is TRUSTEE_IS_OBJECTS_AND_NAME, inheritedObjectTypeName must be a valid lightweight directory access protocol (LDAP) display name in the Microsoft Active Directory schema. For TRUSTEE_IS_OBJECTS_AND_SID, this must be an LDAP path or a globally unique identifier (GUID) of an extended right. If it begins with "LDAP://", the procedure gets the object and stores the "rightsGUID" of the object. Otherwise, the string must be a GUID string such as "{12345678-1234-1234-1234-123456789abc}".

There is no default value. The procedure will fail if this element exists and trusteeForm is not TRUSTEE_IS_OBJECTS_AND_NAME or TRUSTEE_IS_OBJECTS_AND_SID.

Remarks

The rollback procedure restores the directory's original attributes.

Schema Definition

Input

executeData> 
  <dirName>MyDir</dirName> 
  <sourcePath>\\VIRALJAIN\c$\source>/sourcePath> 
  <properties readOnly="true" hidden="false"/> 
  <security> 
    <acl> 
      <ace> 
        <permission>GENERIC_ALL</permission> 
        <mode>GRANT_ACCESS</mode> 
        <trusteeType>TRUSTEE_IS_GROUP</trusteeType> 
        <trusteeForm>TRUSTEE_IS_NAME</trusteeForm> 
        <trustee>BUILTIN\Administrators</trustee>
        <inheritance>SUB_CONTAINERS_AND_OBJECTS_INHERIT</inheritance>  
      </ace> 
    </acl> 
  </security> 
</executeData>

Sample Code

Example XML Request

Example XML Response

Procedure SetDirectoryAttributes does not return data.

Applies To

File System Provider for:

  • Hosted Messaging and Collaboration version 4.5

  • Hosted Messaging and Collaboration version 4.0

  • Hosted Messaging and Collaboration version 3.5

  • Hosted Messaging and Collaboration version 3.0

  • Windows-based Hosting version 4.5

  • Windows-based Hosting version 4.0

  • Windows-based Hosting version 3.5

  • Windows-based Hosting for Applications version 1.0

See also

Tasks

File System Provider::CopyDirectory
File System Provider::DeleteDirectory
File System Provider::ListDirectory
File System Provider::MoveDirectory
File System Provider::RenameDirectory
File System Provider::SetDirectoryAttributes