Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Changing folder ACL on root


  • Please log in to reply
5 replies to this topic

#1
manky

manky

    Newbie

  • Member
  • 10 posts
  • Joined 27-September 05
Hi all.

We want to create 2 folders in the root of c: at build time and apply acl changes that will prevent normal users from deleting the folders as the essentially just public folders. What would be the best way to go about this other than using group policy? I have not had much experience with secedit but it seems fairly straight forward.

We also don't want users to be able to create or delete folders/files at the root level. Is that possible (they don't run as administrators).

Edited by manky, 26 August 2012 - 03:56 AM.



How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,972 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Using Group Policy is a recommended way to manage multiple users. If you end up using an "in-system" method to control this, you will be left with a headache if you ever need to change something. Using Group Policy, you can manage these settings all from one central location.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#3
Mikka

Mikka

    Junior

  • Member
  • Pip
  • 80 posts
  • Joined 02-March 06
  • OS:none specified
  • Country: Country Flag
Okay, it's centralized and all, but if you like to e.g. automatically change one simple setting (like allowing group Users to create symbolic links), how would you do it?
Maybe there's a command to be called in SetupComplete.cmd which imports that setting, just which one?

I merely know the "attended way" via secpol:
Local Security Policy > Local Policies > User Rights Assignment: Create symbolic links

Any ideas, tips...?

#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,972 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

There looks to be something called SCEREGVL.INF that you can try using.
http://social.techne...0-b2bb75e37b4f/
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#5
Mikka

Mikka

    Junior

  • Member
  • Pip
  • 80 posts
  • Joined 02-March 06
  • OS:none specified
  • Country: Country Flag
Thanks, Tripredacus.

There is quite some stuff in sceregvl.inf, but I can't find any reference to symbolic links or user assignment in it.
I might be looking at the wrong place (the original poster at TechNet is talking about a different setting).

Peeking into Microsoft's SCM, the particular setting lies under Microsoft Baselines > Windows 7 > Win7-EC-Desktop 1.0
Easiest way would be to filter out the relevant registry(?) setting, dump that to a file and deploy it on a fresh machine.
Just in case this won't work (if the setting is saved somewhere else), how could I track down this option?


Edit:
All right, just managed to dump a GptTmpl.inf for a start.

There's a plethora of settings in it (much more than the tiny bit I'm looking for), but it seems that the line
SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545
is what I'm aiming at (in the section [Privilege Rights]).

Now, the question is if one could simply cut the inf down to keep just this information, and deleting the rest.
So hopefully, what I'll get is something like:

[Unicode]
Unicode=yes
[Version]
signature=$CHICAGO$
Revision=1
[Privilege Rights]
SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545
[Registry Values]
[System Access]


(dunno if the last 2 lines are needed)

Now I have to find out how to import that .inf during an unattended setup...

Edited by Mikka, 09 February 2013 - 09:59 AM.


#6
Mikka

Mikka

    Junior

  • Member
  • Pip
  • 80 posts
  • Joined 02-March 06
  • OS:none specified
  • Country: Country Flag
Just for the record: It worked like that.
Basically what I did was taking the pattern above (minus the last 2 lines), saving it to somefile.inf.
Then, (un)attendedly running the command
secedit /configure /db secedit.sdb /cfg somefile.inf
will import the setting and the new machine is updated.
That's all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users