The production change implementers for our IT group have been tasked with reviewing the security for all of the various objects in our group, primarily to make sure that people who have left our employ or have transferred to other groups no longer have access to our server shares, web directories, sql databases, etc etc. We recently completed the SQL portion and we have a re-usable script that can be run annually (or at whatever frequency we come up with). It worked great and we audited 20 databases across 10 or so servers withing a few minutes.

我们 IT 组的生产变更实施者的任务是审查我们组中所有各种对象的安全性，主要是为了确保离开我们工作或转移到其他组的人员不再能够访问我们的服务器共享、web 目录、sql 数据库等。我们最近完成了 SQL 部分，我们有一个可重复使用的脚本，可以每年运行（或以我们提出的任何频率运行）。它工作得很好，我们在几分钟内审核了 10 个左右服务器上的 20 个数据库。

Now, for the server stuff. I have an application that I wrote in C# using .NET 2.0 that will recursively scan a list of directories and dump the ACLs to a text file. This works excellent. On the local machine. UNC and Mapped paths do not work, I get the following exception message: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

现在，对于服务器的东西。我有一个应用程序，我使用 .NET 2.0 在 C# 中编写，它将递归扫描目录列表并将 ACL 转储到文本文件。这很好用。在本地机器上。UNC 和映射路径不起作用，我收到以下异常消息：该进程不拥有此操作所需的“SeSecurityPrivilege”特权。

On this line:

在这一行：

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);

Where di is a DirectoryInfo object enumerated from a DirectoryInfo[] array.

其中 di 是从 DirectoryInfo[] 数组枚举的 DirectoryInfo 对象。

We are not likely going to be able to be granted the SeSecurityPrivilege privilege. However I don't think this should be necessary. I can open the folder and right click for properties and click the security tab and view it in the GUI. I shouldbe able to access it programmatically as well.

我们不太可能被授予 SeSecurityPrivilege 特权。但是，我认为这没有必要。我可以打开文件夹并右键单击属性，然后单击安全选项卡并在 GUI 中查看它。我也应该能够以编程方式访问它。

Any thoughts on how I can change this section of code to get the permissions for the targeted folder?

关于如何更改这部分代码以获得目标文件夹的权限的任何想法？

private void CheckSecurity(DirectoryInfo[] DIArray)
{
    foreach (DirectoryInfo di in DIArray)
    {
        DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);
        string sAccessInfo = string.Empty;

        foreach (FileSystemAccessRule FSAR in DirSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
        {
            sAccessInfo += GetAceInformation(FSAR);
        }

        if (sAccessInfo != string.Empty)
        {
            // Write info to text file
        }
    }
}

private string GetAceInformation(FileSystemAccessRule ace)
{
    StringBuilder info = new StringBuilder();
    string line = string.Format("Account: {0}", ace.IdentityReference.Value);
    info.AppendLine(line);
    line = string.Format("Type: {0}", ace.AccessControlType);
    info.AppendLine(line);
    line = string.Format("Rights: {0}", ace.FileSystemRights);
    info.AppendLine(line);
    line = string.Format("Inherited ACE: {0}", ace.IsInherited);
    info.AppendLine(line);
    return info.ToString();
}

Edit: How would I check the remote folder for the read attrib in the ACL when it fails on getting the "GetAccessControl()" method for the root folder? (If I pass in \server\path, it errors on getting the info for \server\path).

编辑：当获取根文件夹的“GetAccessControl()”方法失败时，如何检查远程文件夹中的读取属性？（如果我传入\server\path，它会在获取\server\path 的信息时出错）。

The user account is a domain account and I have permissions to read the file structure. I can view the security from the properties of the folder/files.

用户帐户是域帐户，我有权读取文件结构。我可以从文件夹/文件的属性中查看安全性。

I will check out the process monitor but I am not sure that I am going to be able to run it on the server (I am not an admin on the server(s) in question).

我将检查进程监视器，但我不确定我是否能够在服务器上运行它（我不是相关服务器的管理员）。