fdv Posted May 19, 2008 Posted May 19, 2008 Hi folks,I'd like to keep people from creating files in the root like XP and Vista do. I did some reading at the MS Technet. Then, I expanded and opened DEFLTWK.INF and added a new string. Before I reveal it, here are the strings from the successor OS's:; VISTA: "%SystemDrive%\",0,"D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;GRGX;;;BU) (A;OICIIO;GRGWGXSD;;;AU)(A;;LC;;;AU)"; XP: "%SystemDrive%\",0,"D:AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;;0x1200a9;;;WD)(A;OICI;FA;;;SY) (A;OICI;0x1200a9;;;BU)(A;CI;0x100004;;;BU)(A;CIIO;0x100002;;;BU)"The problem is that they both seem to do the opposite of what I want... they allow admin users to delete any folder (which is nice for undeletable system folders like IAS, ROCKET, NETMEETING, OS2, etc etc.) But the regular Authenticated Users suddenly can't write to anything. From the Vista string, translating into English:A;OICIIO;GRGWGXSD;;;AU MeansA = Allow; OICI = pass ACL (inherit) to all child files and folders...IO = ...but don't apply the ACE to this object, just the child objectsGRGWGXSD = General Read, Write, Execute, and list dir contentsAU = For all Authenticated Users.I have tried all sorts of permutations to get the XP or Vista strings to work right, the admin rights are always fine but everything else is too restrictive on 2k where the same string works on XP.Anyone conversant in ACL's want to give me some clues? -- thx
gosh Posted May 19, 2008 Posted May 19, 2008 for win2k/xp/2k3 the root permissons are controlled by a special file, it's an inf but i forget the file name.There's really no reason to change the default settings for the root, and doing so can have disasterous consequences, you really should leave the defaults alone.-gosh
fdv Posted May 20, 2008 Author Posted May 20, 2008 Hi Gosh,XP and 2k3 have the root rights set by that INF file (I forget the name as well) but MS documentation states that 2000 has no root permissions set because (from MS):"Setup does not change the permissions on %systemdrive% because the Windows 2000 ACL Inheritance model would recursively try to configure all subdirectories of the root. Administrators should configure root directory security according to their own system configurations and requirements."So I thought I'd follow their advice and configure according to my own requirements, but 2000 seems to be more clever than I am.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now