[manky]

Hi all.

We want to create 2 folders in the root of c: at build time and apply acl changes that will prevent normal users from deleting the folders as the essentially just public folders. What would be the best way to go about this other than using group policy? I have not had much experience with secedit but it seems fairly straight forward.

We also don't want users to be able to create or delete folders/files at the root level. Is that possible (they don't run as administrators).

This post has been edited by manky: 26 August 2012 - 03:56 AM

[Tripredacus]

Using Group Policy is a recommended way to manage multiple users. If you end up using an "in-system" method to control this, you will be left with a headache if you ever need to change something. Using Group Policy, you can manage these settings all from one central location.

[Mikka]

Okay, it's centralized and all, but if you like to e.g. automatically change one simple setting (like allowing group Users to create symbolic links), how would you do it?
Maybe there's a command to be called in SetupComplete.cmd which imports that setting, just which one?

I merely know the "attended way" via secpol:
Local Security Policy > Local Policies > User Rights Assignment: Create symbolic links

Any ideas, tips...?

[Tripredacus]

There looks to be something called SCEREGVL.INF that you can try using.
http://social.techne...0-b2bb75e37b4f/

[Mikka]

Thanks, Tripredacus.

There is quite some stuff in sceregvl.inf, but I can't find any reference to symbolic links or user assignment in it.
I might be looking at the wrong place (the original poster at TechNet is talking about a different setting).

Peeking into Microsoft's SCM, the particular setting lies under Microsoft Baselines > Windows 7 > Win7-EC-Desktop 1.0
Easiest way would be to filter out the relevant registry(?) setting, dump that to a file and deploy it on a fresh machine.
Just in case this won't work (if the setting is saved somewhere else), how could I track down this option?


Edit:
All right, just managed to dump a GptTmpl.inf for a start.

There's a plethora of settings in it (much more than the tiny bit I'm looking for), but it seems that the line
SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545
is what I'm aiming at (in the section [Privilege Rights]).

Now, the question is if one could simply cut the inf down to keep just this information, and deleting the rest.
So hopefully, what I'll get is something like:

[Unicode]
Unicode=yes
[Version]
signature=$CHICAGO$
Revision=1
[Privilege Rights]
SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545
[Registry Values]
[System Access]

(dunno if the last 2 lines are needed)

Now I have to find out how to import that .inf during an unattended setup...

This post has been edited by Mikka: 09 February 2013 - 09:59 AM

[Mikka]

Just for the record: It worked like that.
Basically what I did was taking the pattern above (minus the last 2 lines), saving it to somefile.inf.
Then, (un)attendedly running the command
secedit /configure /db secedit.sdb /cfg somefile.inf
will import the setting and the new machine is updated.
That's all.