private RawSecurityDescriptor CreateSecurityDescriptor(IEnumerable<IdentityRights> allowRights, IEnumerable<IdentityRights> denyRights = null) { var security = new DirectorySecurity(); security.SetOwner(CurrentIdentity); security.SetGroup(Group); if (allowRights == null) allowRights = Enumerable.Empty<IdentityRights>(); if (denyRights == null) denyRights = Enumerable.Empty<IdentityRights>(); foreach (var right in allowRights) { security.AddAccessRule(new FileSystemAccessRule(right.Identity, right.Rights, AccessControlType.Allow)); } foreach (var right in denyRights) { security.AddAccessRule(new FileSystemAccessRule(right.Identity, right.Rights, AccessControlType.Deny)); } var binaryDescriptor = security.GetSecurityDescriptorBinaryForm(); return new RawSecurityDescriptor(binaryDescriptor, 0); }