Solved

run cacls command from GPO startup script

Posted on 2012-04-06
7
2,054 Views
Last Modified: 2012-04-11
I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer.   The script is run as a machine startup script from an Active Directory GPO.   The script is not working correctly when run from the GPO.  If I run the script as a domain admin on the computer directly it works correctly.  
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F
0
Comment
Question by:AManoux
  • 3
  • 2
  • 2
7 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 37818235
Just out of curiosity doesn't these two accounts have full access?
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37818321
Why not just add the permissions using group policy?
0
 
LVL 1

Author Comment

by:AManoux
ID: 37818425
@yo_bee  I'm making permission changes to a multitude of files in the System32 directory.  Some of these permission changes are removing other accounts like "Interactive Users" from the ACE.   But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax  I wasn't aware that I could control the permissions on any file that I want through GPO
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 22

Expert Comment

by:yo_bee
ID: 37819095
This is a very bad idea.  I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.
0
 
LVL 1

Author Comment

by:AManoux
ID: 37819169
For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.
0
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 500 total points
ID: 37819219
Absolutely. Computer - Policies - Windows - Security - File System
Rt click in the right empty pane and add new file or folder and set perms.

I totally agree that giving this folder access is frowned upon and not very secure, but in a locked down environment, sometimes thats the only way to get things working.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37819222
Are we giving or removing default settings?
That is my concern.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question