Solved

run cacls command from GPO startup script

Posted on 2012-04-06
7
2,025 Views
Last Modified: 2012-04-11
I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer.   The script is run as a machine startup script from an Active Directory GPO.   The script is not working correctly when run from the GPO.  If I run the script as a domain admin on the computer directly it works correctly.  
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F
0
Comment
Question by:AManoux
  • 3
  • 2
  • 2
7 Comments
 
LVL 21

Expert Comment

by:yo_bee
ID: 37818235
Just out of curiosity doesn't these two accounts have full access?
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37818321
Why not just add the permissions using group policy?
0
 
LVL 1

Author Comment

by:AManoux
ID: 37818425
@yo_bee  I'm making permission changes to a multitude of files in the System32 directory.  Some of these permission changes are removing other accounts like "Interactive Users" from the ACE.   But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax  I wasn't aware that I could control the permissions on any file that I want through GPO
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37819095
This is a very bad idea.  I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.
0
 
LVL 1

Author Comment

by:AManoux
ID: 37819169
For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.
0
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 500 total points
ID: 37819219
Absolutely. Computer - Policies - Windows - Security - File System
Rt click in the right empty pane and add new file or folder and set perms.

I totally agree that giving this folder access is frowned upon and not very secure, but in a locked down environment, sometimes thats the only way to get things working.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37819222
Are we giving or removing default settings?
That is my concern.
0

Join & Write a Comment

Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now