Impersonation (and a little bit more) with .NET

I need an assembly written in vb.net with the following requirements: 1. Requires impersonation 2. Various functions to copy one or more file based on specific user name & password 3. Function to apply access rights based on currently logged in user I've done 1 & 2 in the past but never got a chance to experiment on the third part, so this is where you come in. Part 3 is very important, so do not apply unless you are definitely sure that you can apply access rights which would give the currently logged in user? access to the copied file, but this needs to be done when you are still logged in as the impersonate user. Thanks. T. ## Deliverables Ok, here is the spec with a bit more details. Before I get into the details, I will display a bit of code with what I have in mind: I need functionality to achieve the following: Assume the following: ? User A: Normal user ? User B: Dedicated user The process: Writing: User A is currently logged in to a workstation and has access to specific files on the network. When User A select various files and these get copied to another location on the network, I want all users that are allowed to access the file to be removed, user B gets added if not already there. No impersonation required here. This is the first part which is to change the access rights on an existing file. Reading: User A is currently logged in to a workstation and needs to access various files held on the network drive. This files are not accessible to user A has only user B has now access to them. When user? A needs to access some files on the network, the application needs to impersonate UserB, copy the files to the local drive, add User A to the list of user allowed to access the files stored on local drive, then stop impersonating. Does this make sense? If not please clarify before applying. Scenario 1: **Copying part:** Dim obj as myassembly Dim currentUser as ??? For each file in files ? [login to view URL] <source file>, <target file>, <adduserlist>,<removeuserlist> Next **Reading part: ** [login to view URL] (<username>, <password>) [login to view URL](<target path>, <target file pattern>, currentUser) [login to view URL] So based on the explanation above, you would have something like this: For each file in files ? [login to view URL] "c:\[login to view URL]", "z:\folder\[login to view URL]", new object() {UserB}, new object() {UserA}) Next Where I should also have an additional parameter to remove all users i.e. ? [login to view URL] "c:\[login to view URL]", "z:\folder\[login to view URL]", new object() {UserB},nothing, true) When GetFiles gets called, it would copy the files as the impersonated user, but as each file is copied it would apply access rights so that the currentUser can access it. Scenario 2: For each file in files ? [login to view URL] "c:\[login to view URL]", "z:\folder\[login to view URL]", new object() {UserB}, new object() {UserA}) Next Dim obj as myassembly Dim currentUser as ??? [login to view URL](impersonateUsername, impersonatePassword, <target path>, <target file pattern>, currentUser) Save as above but the impersonation occurs inside the getfiles function, so does the undo and so does applying the access rights on the copied file so the currentUser can access them without any problems. In brief, I want my files to only be accessible by a dedicated user when stored on a network drive. I need to ability to copy the files as the dedicate user to the local drive but change the access rights so that the currently logged in user has full access to the file.? If needed, the local user may want to copy this file back to the network which should be done through impersonation and once copied the current user should be removed from the list. 1. I want the code to be written in vb.net (will consider C# but only if you convince me you can actually do it). 2. Must? apply scenario 1 or 2. Either one is fine for me. Once I get the concept right, I can always modify it myself. 3. Code must be fully commented and explained. 4. I want the impersonation functionality split properly and I also want the access right functions split properly. This is critical as in the future I may want to provide these various functions as individual calls, so for the impersonation, irrelvant of the scenario used, I want to see the following: ? a) [login to view URL] (....) ? b) [login to view URL] ? c) [login to view URL](filename, currentUser) Again the core thing is not even the process. As long as you provide me with functions that will allow me to: Add Users to a file access right Remove Users from a file access rights Remove All users from a file access rights Check if a folder has access rights based on a specific user. Check if a? file has access rights based on a specific user. Ability to add users to access rights to either file or folder (this means this user will be given admin rights!). Impersonate a user Undo impersonation I'm open to fair suggestions, but I don't want any time wasters, so please only apply if you know for a fact that you will be able to provide me with what I require. If you have additional suggestions, please let me know. Should I bother applying at the file level? Should it be done at a folder level? Would this make things easier? Any other suggestions are welcome. That's it. Thierry * * *This broadcast message was sent to all bidders on Thursday Oct 9, 2008 4:39:47 PM: Hi, Some of you have asked me the following questions: 1. Will the dedicated user be a admin user on the machine. I'm not sure how to answer this. Ideally I want the assembly to provive a function to check if the dedicated user exists in the local admin group of the machine. If it doesn't, I want to have a function that will add the dedicate user to the local admin group. This should take care of the problem. If this can't be done, I will have to cancel the project and re-think on how to go about this as I don't want our tech guys having to do this manually on every machine we install our software and asking clients to do that is a big NO NO!! Note that in the past I we've written an application which read an 256-bit encrypted file on the network and contained the admin name and password and domain. Once read, it would impersonate the domain admin and install files. Can the same process not be used to add the dedicated user?? So, then the application start, the user would log in. At logon, if successful, we could return the domain admin name & password, which would be used to impersonate the domain admin. Once impersonating the domain admin, you would then check if the dedicated user exists, if it doesn't, you would add it. Then undo the domain admin impersonation, bring you back to the current user. Then the rest of the spec would follow i.e. Select the files we need to copy, impersonate the dedicate user, add the dedicate user to access rights on files, remove every other user from access rights, copy the files, and then undo impersonation of dedicated user. When we need to get the files, impersonate the dedicated user, copy the files to local folder, add the currently logged in user to access right of file and undo impersonation, thus allowing the current user to access the files as normal. I hope this clarifies things. 2) This will only be with following OS: Win 2000, Win XP Pro and Vista and above. Note you must test this under Vista as I believe it behaves seriously differently from XP in relation to security. I found an article which may not be relevant but where it mentions that vista does behave differently, so please make sure it works as this will be tested on vista and I cannot approve the project unless it works at least on xp pro and vista. Thanks. Thierry.