C# .NET Getting Windows Directory File Permissions programmatically



I while back I needed to do a security trim on files in a Windows file system based on returned search results by SharePoint search. Since in SharePoint 2010 search indexing does not know how to take into consideration file system rights for searches there was a need to do a security trimming based on what privileges you have in Active Directory and what you are given to the file itself.

Since there where alot of moving parts and hard to find out which classes and function where needed to actually do this specific task I finally found a source that gave a great sample how to do this:


Unfortunately the source above does not exist anymore for whatever reason. So for those who might need similar functionality through code here is the sample code from the link above and what you need class wise.

In the code below what you need is to call the following static function to check for if the user has certain privileges:

FileSystemRights rights = FileSystemEffectiveRights.GetRights(username, filelocation);

Then call the following function to test against the given file system privileges and what you want to user to have in the file system.
bool canReadExecute = rights.HasRights(FileSystemRights.ReadAndExecute);


Classes and enumeration needed for this functionality(there are many moving parts here and you might have to work with Active Directory and File System to test this code):

FileSystemRights Enumeration

FileSystemAccessRule Class

AccessControlType Enumeration

AuthorizationRuleCollection Class

SecurityIdentifier Class

FileSystemAccessRule Class

FileInfo Class

PrincipalContext Class

UserPrincipal Class

PrincipalSearcher Class

WindowsIdentity Class


Sample code – http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/ :

public static class FileSystemRightsEx
public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
return (rights & testRights) == testRights;

public static class FileSystemEffectiveRights

public static FileSystemRights GetRights(string userName, string path)
if (string.IsNullOrEmpty(userName))
throw new ArgumentException(“UserName not defined!”);

//if (!Directory.Exists(path) && !File.Exists(path))
// throw new ArgumentException(string.Format(“path: {0}”, path));

return GetEffectiveRights(userName, path);

private static FileSystemRights GetEffectiveRights(string userName, string path)
FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
FileSystemRights denyRights = 0;
FileSystemRights allowRights = 0;

for (int index = 0, total = accessRules.Length; index < total; index++)
FileSystemAccessRule rule = accessRules[index];

if (rule.AccessControlType == AccessControlType.Deny)
denyRights |= rule.FileSystemRights;
allowRights |= rule.FileSystemRights;

return (allowRights | denyRights) ^ denyRights;

private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
// get all access rules for the path – this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

// get the user’s sids
string[] sids = GetSecurityIdentifierArray(userName);

// get the access rules filtered by the user’s sids
return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
where sids.Contains(rule.IdentityReference.Value)
select rule).ToArray();

private static string[] GetSecurityIdentifierArray(string userName)
// connect to the domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain);

// search for the domain user
UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
user = searcher.FindOne() as UserPrincipal;

if (user == null)
throw new ApplicationException(string.Format(“Invalid User Name: {0}”, userName));

// use WindowsIdentity to get the user’s groups
WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
string[] sids = new string[windowsIdentity.Groups.Count + 1];

sids[0] = windowsIdentity.User.Value;

for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
sids[index] = windowsIdentity.Groups[index].Value;

return sids;


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s