?
Solved

run cacls command from GPO startup script

Posted on 2012-04-06
7
Medium Priority
?
2,159 Views
Last Modified: 2012-04-11
I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer.   The script is run as a machine startup script from an Active Directory GPO.   The script is not working correctly when run from the GPO.  If I run the script as a domain admin on the computer directly it works correctly.  
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F
0
Comment
Question by:AManoux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:yo_bee
ID: 37818235
Just out of curiosity doesn't these two accounts have full access?
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37818321
Why not just add the permissions using group policy?
0
 
LVL 1

Author Comment

by:AManoux
ID: 37818425
@yo_bee  I'm making permission changes to a multitude of files in the System32 directory.  Some of these permission changes are removing other accounts like "Interactive Users" from the ACE.   But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax  I wasn't aware that I could control the permissions on any file that I want through GPO
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 23

Expert Comment

by:yo_bee
ID: 37819095
This is a very bad idea.  I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.
0
 
LVL 1

Author Comment

by:AManoux
ID: 37819169
For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.
0
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 2000 total points
ID: 37819219
Absolutely. Computer - Policies - Windows - Security - File System
Rt click in the right empty pane and add new file or folder and set perms.

I totally agree that giving this folder access is frowned upon and not very secure, but in a locked down environment, sometimes thats the only way to get things working.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37819222
Are we giving or removing default settings?
That is my concern.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question