I lost the “Security” tab of offline files synced by Sync Centre !!

  • Article

In Windows Vista and later there is a cool feature of making network shared files available offline and maintaining the synchronization through a newly added component called Sync Centre.  You may find more information about it here:  Explore the features: Sync Center.

You might have a functionality where you would like to know the security permissions of a file present locally on the box.  Functionality like programmatically you enumerate all those users who have read/write permissions on a folder or a file. 

Now what would happen if you wish to have the similar functionality  where you check the security permissions for an offline files synced by Sync Center when the network is not available?

If you go to properties of the offline file/folder you could see that when remote machine is disconnected from network then you are not able to see the security tab as shown in screen shots below.

clip_image001

clip_image002

Eventually you are *not* able to get the security permissions programmatically.  There are certain set of methods listed in Offline Files API, but it does not have any interface to provide the security permission information we are looking for.

The reason for the unavailability of this information is because it is not exposed.  Why?, the reason for this is to maintain consistency between the effective security permissions with respect to the actual remote server and the Sync Center.  When server is offline then there is very possibility that the administrator may change the security permissions.  The actual ACL’s are only stored on the server end, therefore, can only be shown in a user interface when connected to the server.  Internally the Sync center actually store the effective permissions in the Offline Files metadata and access check is enforced when offline. 

Hence the file system APIs (like GetFileSecurity , GetSecurityInfo, GetNamedSecurityInfo, GetKernelObjectSecurity etc.) for querying and setting security on a file will fail with either STATUS_ONLY_IF_CONNECTED or STATUS_NOT_SUPPORTED.  Still if you would like to know if a given user has READ access to a give file, the application could attempt to open the file with READ access in the user’s security context but this is not a scalable workaround.

I hope you will find this information useful !!

Sandeep Sharma

Microsoft - WinSDK team