asked on

run cacls command from GPO startup script

I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer. The script is run as a machine startup script from an Active Directory GPO. The script is not working correctly when run from the GPO. If I run the script as a domain admin on the computer directly it works correctly.
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F

yo_bee

Just out of curiosity doesn't these two accounts have full access?

BelushiLomax

Why not just add the permissions using group policy?

AManoux

ASKER

@yo_bee I'm making permission changes to a multitude of files in the System32 directory. Some of these permission changes are removing other accounts like "Interactive Users" from the ACE. But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax I wasn't aware that I could control the permissions on any file that I want through GPO

yo_bee

This is a very bad idea. I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.

AManoux

ASKER

For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.

ASKER CERTIFIED SOLUTION

BelushiLomax

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

yo_bee

Are we giving or removing default settings?
That is my concern.