manky Posted August 26, 2012 Share Posted August 26, 2012 (edited) Hi all.We want to create 2 folders in the root of c: at build time and apply acl changes that will prevent normal users from deleting the folders as the essentially just public folders. What would be the best way to go about this other than using group policy? I have not had much experience with secedit but it seems fairly straight forward.We also don't want users to be able to create or delete folders/files at the root level. Is that possible (they don't run as administrators). Edited August 26, 2012 by manky Link to comment Share on other sites More sharing options...
Tripredacus Posted August 27, 2012 Share Posted August 27, 2012 Using Group Policy is a recommended way to manage multiple users. If you end up using an "in-system" method to control this, you will be left with a headache if you ever need to change something. Using Group Policy, you can manage these settings all from one central location. Link to comment Share on other sites More sharing options...
Mikka Posted February 7, 2013 Share Posted February 7, 2013 Okay, it's centralized and all, but if you like to e.g. automatically change one simple setting (like allowing group Users to create symbolic links), how would you do it?Maybe there's a command to be called in SetupComplete.cmd which imports that setting, just which one?I merely know the "attended way" via secpol:Local Security Policy > Local Policies > User Rights Assignment: Create symbolic linksAny ideas, tips...? Link to comment Share on other sites More sharing options...
Tripredacus Posted February 8, 2013 Share Posted February 8, 2013 There looks to be something called SCEREGVL.INF that you can try using.http://social.technet.microsoft.com/Forums/en-US/compliancemanagement/thread/dd66dd86-0c08-4f19-8000-b2bb75e37b4f/ Link to comment Share on other sites More sharing options...
Mikka Posted February 9, 2013 Share Posted February 9, 2013 (edited) Thanks, Tripredacus.There is quite some stuff in sceregvl.inf, but I can't find any reference to symbolic links or user assignment in it.I might be looking at the wrong place (the original poster at TechNet is talking about a different setting).Peeking into Microsoft's SCM, the particular setting lies under Microsoft Baselines > Windows 7 > Win7-EC-Desktop 1.0Easiest way would be to filter out the relevant registry(?) setting, dump that to a file and deploy it on a fresh machine.Just in case this won't work (if the setting is saved somewhere else), how could I track down this option?Edit:All right, just managed to dump a GptTmpl.inf for a start.There's a plethora of settings in it (much more than the tiny bit I'm looking for), but it seems that the lineSeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545is what I'm aiming at (in the section [Privilege Rights]).Now, the question is if one could simply cut the inf down to keep just this information, and deleting the rest.So hopefully, what I'll get is something like:[unicode]Unicode=yes[Version]signature=$CHICAGO$Revision=1[Privilege Rights]SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545[Registry Values][system Access](dunno if the last 2 lines are needed)Now I have to find out how to import that .inf during an unattended setup... Edited February 9, 2013 by Mikka Link to comment Share on other sites More sharing options...
Mikka Posted February 10, 2013 Share Posted February 10, 2013 Just for the record: It worked like that.Basically what I did was taking the pattern above (minus the last 2 lines), saving it to somefile.inf.Then, (un)attendedly running the commandsecedit /configure /db secedit.sdb /cfg somefile.infwill import the setting and the new machine is updated.That's all. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now