DirectorySecurity Class
.NET Framework Class Library
DirectorySecurity Class

Represents the access control and audit security for a directory. This class cannot be inherited.

Namespace:  System.Security.AccessControl
Assembly:  mscorlib (in mscorlib.dll)
 Syntax
Visual Basic 
Public NotInheritable Class DirectorySecurity _
    Inherits FileSystemSecurity
C# 
public sealed class DirectorySecurity : FileSystemSecurity
Visual C++ 
public ref class DirectorySecurity sealed : public FileSystemSecurity
F# 
[<SealedAttribute>]
type DirectorySecurity =  
    class
        inherit FileSystemSecurity
    end
 Remarks

The DirectorySecurity class specifies the access rights for a system directory and how access attempts are audited. This class represents access and audit rights as a set of rules. Each access rule is represented by a FileSystemAccessRule object, while each audit rule is represented by a FileSystemAuditRule object.

The DirectorySecurity class is an abstraction of the underlying Windows file security system. In this system, each directory has a discretionary access control list (DACL), which controls access to the directory, and a system access control list (SACL), which specifies the access control attempts that are audited. The FileSystemAccessRule and FileSystemAuditRule classes are abstractions of the access control entries (ACEs) that comprise DACLs and SACLs.

The DirectorySecurity class hides many of the details of DACLs and SACLs; you do not have to worry about ACE ordering or null DACLS.

Use the FileSecurity class to retrieve, add, or change the access rules that represent the DACL and SACL of a file.

The following tables lists the methods you can use to access and maintain directory security.

Task

Methods

Add rules

FileSystemSecurity..::.AddAccessRule

FileSystemSecurity..::.AddAuditRule

Remove rules

FileSystemSecurity..::.RemoveAccessRule

FileSystemSecurity..::.RemoveAuditRule

Retrieve the access control to a directory

Directory..::.GetAccessControl

DirectoryInfo..::.GetAccessControl

Persist the access control to a directory

Directory..::.SetAccessControl

DirectoryInfo..::.SetAccessControl
 Examples

The following code example uses the DirectorySecurity class to add and then remove an access control list (ACL) entry from a directory. You must supply a valid user or group account to run this example.

Visual Basic 
Imports System
Imports System.IO
Imports System.Security.AccessControl



Module DirectoryExample

    Sub Main()
        Try
            Dim DirectoryName As String = "TestDirectory"

            Console.WriteLine("Adding access control entry for " + DirectoryName)

            ' Add the access control entry to the directory.
            AddDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)

            Console.WriteLine("Removing access control entry from " + DirectoryName)

            ' Remove the access control entry from the directory.
            RemoveDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)

            Console.WriteLine("Done.")
        Catch e As Exception
            Console.WriteLine(e)
        End Try

        Console.ReadLine()

    End Sub


    ' Adds an ACL entry on the specified directory for the specified account.
    Sub AddDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
        ' Create a new DirectoryInfoobject.
        Dim dInfo As New DirectoryInfo(FileName)

        ' Get a DirectorySecurity object that represents the 
        ' current security settings.
        Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()

        ' Add the FileSystemAccessRule to the security settings. 
        dSecurity.AddAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))

        ' Set the new access settings.
        dInfo.SetAccessControl(dSecurity)

    End Sub


    ' Removes an ACL entry on the specified directory for the specified account.
    Sub RemoveDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
        ' Create a new DirectoryInfo object.
        Dim dInfo As New DirectoryInfo(FileName)

        ' Get a DirectorySecurity object that represents the 
        ' current security settings.
        Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()

        ' Add the FileSystemAccessRule to the security settings. 
        dSecurity.RemoveAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))

        ' Set the new access settings.
        dInfo.SetAccessControl(dSecurity)

    End Sub
End Module
C# 
using System;
using System.IO;
using System.Security.AccessControl;

namespace FileSystemExample
{
    class DirectoryExample
    {
        public static void Main()
        {
            try
            {
                string DirectoryName = "TestDirectory";

                Console.WriteLine("Adding access control entry for " + DirectoryName);

                // Add the access control entry to the directory.
                AddDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);

                Console.WriteLine("Removing access control entry from " + DirectoryName);

                // Remove the access control entry from the directory.
                RemoveDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);

                Console.WriteLine("Done.");
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }

            Console.ReadLine();
        }

        // Adds an ACL entry on the specified directory for the specified account.
        public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the 
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings. 
            dSecurity.AddAccessRule(new FileSystemAccessRule(Account,
                                                            Rights,
                                                            ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);

        }

        // Removes an ACL entry on the specified directory for the specified account.
        public static void RemoveDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the 
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings. 
            dSecurity.RemoveAccessRule(new FileSystemAccessRule(Account,
                                                            Rights,
                                                            ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);

        }
    }
}
Visual C++ 
using namespace System;
using namespace System::IO;
using namespace System::Security::AccessControl;

// Adds an ACL entry on the specified directory for the
// specified account.
void AddDirectorySecurity(String^ directoryName, String^ account, 
     FileSystemRights rights, AccessControlType controlType)
{
    // Create a new DirectoryInfo object.
    DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);

    // Get a DirectorySecurity object that represents the
    // current security settings.
    DirectorySecurity^ dSecurity = dInfo->GetAccessControl();

    // Add the FileSystemAccessRule to the security settings.
    dSecurity->AddAccessRule( gcnew FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    dInfo->SetAccessControl(dSecurity);
}

// Removes an ACL entry on the specified directory for the
// specified account.
void RemoveDirectorySecurity(String^ directoryName, String^ account,
     FileSystemRights rights, AccessControlType controlType)
{
    // Create a new DirectoryInfo object.
    DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);

    // Get a DirectorySecurity object that represents the
    // current security settings.
    DirectorySecurity^ dSecurity = dInfo->GetAccessControl();

    // Add the FileSystemAccessRule to the security settings.
    dSecurity->RemoveAccessRule(gcnew FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    dInfo->SetAccessControl(dSecurity);
}    

int main()
{
    String^ directoryName = "TestDirectory";
    String^ accountName = "MYDOMAIN\\MyAccount";
    if (!Directory::Exists(directoryName))
    {
        Console::WriteLine("The directory {0} could not be found.", 
            directoryName);
        return 0;
    }
    try
    {
        Console::WriteLine("Adding access control entry for {0}",
            directoryName);

        // Add the access control entry to the directory.
        AddDirectorySecurity(directoryName, accountName,
            FileSystemRights::ReadData, AccessControlType::Allow);

        Console::WriteLine("Removing access control entry from {0}",
            directoryName);

        // Remove the access control entry from the directory.
        RemoveDirectorySecurity(directoryName, accountName, 
            FileSystemRights::ReadData, AccessControlType::Allow);

        Console::WriteLine("Done.");
    }
    catch (UnauthorizedAccessException^)
    {
        Console::WriteLine("You are not authorised to carry" +
            " out this procedure.");
    }
    catch (System::Security::Principal::
        IdentityNotMappedException^)
    {
        Console::WriteLine("The account {0} could not be found.", accountName);
    }
}
 Inheritance Hierarchy
System..::.Object
  System.Security.AccessControl..::.ObjectSecurity
    System.Security.AccessControl..::.CommonObjectSecurity
      System.Security.AccessControl..::.NativeObjectSecurity
        System.Security.AccessControl..::.FileSystemSecurity
          System.Security.AccessControl..::.DirectorySecurity
 Thread Safety
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
 Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role not supported), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
 Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1
 See Also

Reference

DirectorySecurity Members
System.Security.AccessControl Namespace
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
PowerShell Example      jrv   |   Edit   |   Show History 
# This is a near linear conversion of the C# example.  Some changes were made to be more PowerShell-like.  
# The Try/Catch is primitive but does work and show that exceptions are fully available with PowerShell V2
# and the Security classes.


#Adds an ACL entry on the specified directory for the specified account.
function AddDirectorySecurity([string]$FileName, [string]$Account, [string]$Rights,[string]$ControlType)
{
    #Create a new DirectoryInfo object.
    $dInfo = New-Object System.IO.DirectoryInfo($FileName)
    #Get a DirectorySecurity object that represents the current security settings.
    $dSecurity = $dInfo.GetAccessControl()
    #Add the FileSystemAccessRule to the security settings. 
    $ace = New-Object System.Security.AccessControl.FileSystemAccessRule($Account,$Rights,$ControlType)
    $dSecurity.AddAccessRule( $ace)
    #Set the new access settings.
    $dInfo.SetAccessControl($dSecurity);
}
#Removes an ACL entry on the specified directory for the specified account.
function RemoveDirectorySecurity([string]$FileName, [string]$Account, [string]$Rights, [string]$ControlType)
{
   #Create a new DirectoryInfo object.
   $dInfo = New-Object System.IO.DirectoryInfo($FileName)
   #Get a DirectorySecurity object that represents the current security settings.
   $dSecurity = $dInfo.GetAccessControl();
   #Add the FileSystemAccessRule to the security settings. 
   $dSecurity.RemoveAccessRule( $(New-Object System.Security.AccessControl.FileSystemAccessRule($Account,
                                                    $Rights,
                                                    $ControlType)) )
   #Set the new access settings.
   $dInfo.SetAccessControl($dSecurity);
}
[string]$DirectoryName = "e:\Test";
[string]$ntaccount='Guest'
#Add the access control entry to the directory.
try{
    Write-Host "Adding access control entry for " + $DirectoryName -ForegroundColor green
    AddDirectorySecurity $DirectoryName $ntaccount "ReadData" "Allow"
    
    Write-Host  "Removing access control entry from " + $DirectoryName -ForegroundColor green
    
    #Remove the access control entry from the directory.
    RemoveDirectorySecurity $DirectoryName $ntaccount "ReadData" "Allow"
}
catch [System.SystemException]{
    Write-Host "An error occured for " + $DirectoryName -ForegroundColor red
}
Write-Host "Done." -ForegroundColor green

Page view tracker