Jump to content

Changing folder ACL on root


Recommended Posts

Hi all.

We want to create 2 folders in the root of c: at build time and apply acl changes that will prevent normal users from deleting the folders as the essentially just public folders. What would be the best way to go about this other than using group policy? I have not had much experience with secedit but it seems fairly straight forward.

We also don't want users to be able to create or delete folders/files at the root level. Is that possible (they don't run as administrators).

Edited by manky
Link to comment
Share on other sites


Using Group Policy is a recommended way to manage multiple users. If you end up using an "in-system" method to control this, you will be left with a headache if you ever need to change something. Using Group Policy, you can manage these settings all from one central location.

Link to comment
Share on other sites

  • 5 months later...

Okay, it's centralized and all, but if you like to e.g. automatically change one simple setting (like allowing group Users to create symbolic links), how would you do it?

Maybe there's a command to be called in SetupComplete.cmd which imports that setting, just which one?

I merely know the "attended way" via secpol:

Local Security Policy > Local Policies > User Rights Assignment: Create symbolic links

Any ideas, tips...?

Link to comment
Share on other sites

Thanks, Tripredacus.

There is quite some stuff in sceregvl.inf, but I can't find any reference to symbolic links or user assignment in it.

I might be looking at the wrong place (the original poster at TechNet is talking about a different setting).

Peeking into Microsoft's SCM, the particular setting lies under Microsoft Baselines > Windows 7 > Win7-EC-Desktop 1.0

Easiest way would be to filter out the relevant registry(?) setting, dump that to a file and deploy it on a fresh machine.

Just in case this won't work (if the setting is saved somewhere else), how could I track down this option?

Edit:

All right, just managed to dump a GptTmpl.inf for a start.

There's a plethora of settings in it (much more than the tiny bit I'm looking for), but it seems that the line

SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545

is what I'm aiming at (in the section [Privilege Rights]).

Now, the question is if one could simply cut the inf down to keep just this information, and deleting the rest.

So hopefully, what I'll get is something like:

[unicode]

Unicode=yes

[Version]

signature=$CHICAGO$

Revision=1

[Privilege Rights]

SeCreateSymbolicLinkPrivilege=*S-1-5-32-544,*S-1-5-32-545

[Registry Values]

[system Access]

(dunno if the last 2 lines are needed)

Now I have to find out how to import that .inf during an unattended setup...

Edited by Mikka
Link to comment
Share on other sites

Just for the record: It worked like that.

Basically what I did was taking the pattern above (minus the last 2 lines), saving it to somefile.inf.

Then, (un)attendedly running the command

secedit /configure /db secedit.sdb /cfg somefile.inf

will import the setting and the new machine is updated.

That's all.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...