Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Sign in to follow this  
Followers 0
manky

Changing folder ACL on root

6 posts in this topic

Hi all.

We want to create 2 folders in the root of c: at build time and apply acl changes that will prevent normal users from deleting the folders as the essentially just public folders. What would be the best way to go about this other than using group policy? I have not had much experience with secedit but it seems fairly straight forward.

We also don't want users to be able to create or delete folders/files at the root level. Is that possible (they don't run as administrators).

Edited by manky
0

Share this post


Link to post
Share on other sites

Using Group Policy is a recommended way to manage multiple users. If you end up using an "in-system" method to control this, you will be left with a headache if you ever need to change something. Using Group Policy, you can manage these settings all from one central location.

0

Share this post


Link to post
Share on other sites

Okay, it's centralized and all, but if you like to e.g. automatically change one simple setting (like allowing group Users to create symbolic links), how would you do it?

Maybe there's a command to be called in SetupComplete.cmd which imports that setting, just which one?

I merely know the "attended way" via secpol:

Local Security Policy > Local Policies > User Rights Assignment: Create symbolic links

Any ideas, tips...?

0

Share this post


Link to post
Share on other sites

Thanks, Tripredacus.

There is quite some stuff in sceregvl.inf, but I can't find any reference to symbolic links or user assignment in it.

I might be looking at the wrong place (the original poster at TechNet is talking about a different setting).

Peeking into Microsoft's SCM, the particular setting lies under Microsoft Baselines > Windows 7 > Win7-EC-Desktop 1.0

Easiest way would be to filter out the relevant registry(?) setting, dump that to a file and deploy it on a fresh machine.

Just in case this won't work (if the setting is saved somewhere else), how could I track down this option?

Edit:

All right, just managed to dump a GptTmpl.inf for a start.

There's a plethora of settings in it (much more than the tiny bit I'm looking for), but it seems that the line

SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545

is what I'm aiming at (in the section [Privilege Rights]).

Now, the question is if one could simply cut the inf down to keep just this information, and deleting the rest.

So hopefully, what I'll get is something like:

[unicode]

Unicode=yes

[Version]

signature=$CHICAGO$

Revision=1

[Privilege Rights]

SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545

[Registry Values]

[system Access]

(dunno if the last 2 lines are needed)

Now I have to find out how to import that .inf during an unattended setup...

Edited by Mikka
0

Share this post


Link to post
Share on other sites

Just for the record: It worked like that.

Basically what I did was taking the pattern above (minus the last 2 lines), saving it to somefile.inf.

Then, (un)attendedly running the command

secedit /configure /db secedit.sdb /cfg somefile.inf

will import the setting and the new machine is updated.

That's all.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.