Jump to content

Access Control Lists (ACLs)


Recommended Posts

Hi all ive been reading alot lately about ACL's

Access Control Lists - well not that much anyway.

basically ive just started working again for an old employer but this time he has a network of around 25 pc's spread around the whole building (not wireless)

the "user" computers are locked down as they are only intended for accessing a menu driven website and database.

i mean you cant even right click the desktop to change properties, set a wallpaper or open any files folders.

IE's internet options from tools menu isnt there and so on.

well you can do things like open notepad but you cant save it anywhere as theres no write permissions allowed for that user.

its basically like using a public library pc or an internet cafe one.

now me being me and as curious as i am i managed to log in as administrator onto my works pc and take a sneaky peek at the user groups and access permissions set on to the pc's objects like folders and drives.

i was also able to tell that there is a logon/logoff script going on somewhere that backups and replaces the registry on every user session logoff and add the security lockdown tasks whilst loggin on. if you know what i mean?

ok you know what im on about now. so thats what i want to do on my windoze box.

ive got 5 user acounts altogether if you include admin account and that guest is turned on.

wel i have friends that like using my pc alot when theyre here and my girlfriend also uses it too.

thing is even the normal user account (or if i create a new account and add it as a user only) has certain permissions i dont want it to, like, access to folders on diferent partitions.

i dont have the right click/properties values like security tabs as the ones that are as the ones on the work pc.

these are images of exactly what i see

Gulp - some hefty reading!!

There has to be an easier way!

apparantly i think you can have a .reg file that can do all this, its just a matter or making one. :}

Im running:_

Windows xp pro sp2

all new parts

work pc is:_

windows xp pro sp1

(dont worry i told my boss about the vulnaribility and he said the next time i do it he'll sack me)

Link to comment
Share on other sites

You don't have the Security Tab when logged in as admin because you have Simple File Sharing enabled in your XP Pro computer.

The file and folder's ACL is not stored in the registry but as a security descriptor in the file. The ACL contains a list of ACEs (access control entries) and the SIDs of the security principals.

The logon scripts can be controlled via Group Policy but they shouldn't be really necessary to apply folder permissions or policies, unless you mean roaming profiles in a domain.

Link to comment
Share on other sites

Hey Takeshi yep yr right

i was going to come back last night to say that i realised i had use simple file sharing enabled in folder options.

after unchecking that, the security tab was viewable.

well ive managed to add certain users to the user group and have adjusted there permissions via it.

i then tested it by loggin into that account and trying to run certain things.

it would let me run whatever i had added to the user groups list while other things throw up a restriction error 'please see the administrator' :)


that gpedit.msc is some place isnt it, lots of options in there to forget you changed :lol i already knew about it but was kinda putting it off looking in there. think ill read up about it.

i take it its where you can add logon/off scripts and youd put them in the

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon folder.

but i dont think i should worry about using any scripts just yet all i want to do is just lock down certain privledges and rights to certain users more than the xp default, think ill try 3rd party gp editor.

im playing around with the Local users and groups editor in computer management tool at the moment as its there where you can add users to the relevant groups.

thanks for the replies guys :)


Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...