On Tue, Mar 21, 2017 at 9:57 AM, Goku Balu <tfa.signup.te...@gmail.com> wrote: > > Thanks for responding. Here's my use case. I deny Write, Delete and > Delete_Child permissions for all folders and files under a particular folder > to make it read-only. > > When the user uninstalls our application, we remove the Deny ACE for all the > sub-folders and files under it by iterating the folder. > > However in the UI, this can be easily achieved by removing the Deny ACE for > top-most parent and checking "Replace all child object permissions with > inheritable permissions from this object" and clicking Yes in the warning > dialog. I wonder if this could be done programatically?
I thought you wanted to propagate inheritable permissions, which includes removing inherited permissions from subfolders and files. It should suffice to get the DACL from the base folder via GetNamedSecurityInfo; remove the inheritable ACEs that you no longer want; and then call SetNamedSecurityInfo to set the modified DACL. OTOH, if you need to remove explicitly set permissions, then you'll have to reset each folder and file in the tree one at a time. One approach would be to manually do a top-down walk over the tree, e.g. using os.walk(). Modify the security on each file and directory by writing an empty DACL, i.e. win32security.ACL(), and specifying UNPROTECTED_DACL_SECURITY_INFORMATION. This will reset each file and directory using only inherited permissions. The authorization API has the function TreeSetNamedSecurityInfo to implement this. But PyWin32's win32security module doesn't wrap it for some reason. You may prefer this approach, in which case we can use ctypes to call this function. I wrote a wrapper for this a few minutes ago if you want it. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
