Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Network Drive not automatically connecting VIA login script after implementing security template.

Avatar of victor2008
victor2008Flag for United States of America asked on
OS Security
10 Comments1 Solution554 ViewsLast Modified:
Seems like my issue might have to do with section 6.6 of the Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.  Seems like there are restrictions set on executable files.    On my computer, with the NISTWinXPPro_enterprise_R1.2.1.inf template, I get access is Denied with runing login.bat files as a local user, but not as a local administrator.

 6.6 File Permissions
This section provides general instructions regarding setting permissions through file system access
control entries (ACE)102 and access control lists (ACL) for Windows XP.103  The NIST templates and
GPOs restrict access to dozens of executables, protecting them from unauthorized modification and
usage.  Additional custom settings may be added that are specific to the environment in which the
Windows XP machine resides.  Changes to an ACL for a specific resource, such as a file or folder, can be
made using one of three possible methods:
 Open the Properties window for a resource from its context menu and click on the Security tab.  It
displays the privileges that each user or group has to the resource.  The Advanced button can be used
to set more granular permission rights and additional settings such as file auditing and the owner of
the resource.
  An ACE is an entry that binds a security identifier (SID) to a set of permissions within an ACL.
  Once file permissions are applied, there is not an automatic way to undo them or otherwise return the files to their previous
permissions.  Additional procedures, such as recording the original file permissions before applying new ones, may be
needed to provide an undo capability.  The same is true for the registry permissions described in Section 6.7.

 Use the utility cacls.exe found in %SystemRoot%\system32.104  This is a command-line interface
used to set file ACLs, but it does not set Windows XP security descriptors.
 Use the MMC Security Template snap-in to apply settings from a template.
Windows XP uses an inheritance model for assigning ACEs.  An objects ACL can contain ACEs that it
inherited from its parent container.  For example, a file in an NTFS filesystem can inherit ACEs from the
directory that contains it.  In addition, an ACE that is directly applied to a filesystem object is given a
higher priority than an inherited ACE.  The directly applied ACE overrides any conflicting inherited

Avatar of McKnife
This problem has been solved!
Unlock 1 Answer and 10 Comments.
See Answers