?
Solved

run cacls command from GPO startup script

Posted on 2012-04-06
7
Medium Priority
?
2,221 Views
Last Modified: 2012-04-11
I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer.   The script is run as a machine startup script from an Active Directory GPO.   The script is not working correctly when run from the GPO.  If I run the script as a domain admin on the computer directly it works correctly.  
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F
0
Comment
Question by:AManoux
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Expert Comment

by:yo_bee
ID: 37818235
Just out of curiosity doesn't these two accounts have full access?
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37818321
Why not just add the permissions using group policy?
0
 
LVL 1

Author Comment

by:AManoux
ID: 37818425
@yo_bee  I'm making permission changes to a multitude of files in the System32 directory.  Some of these permission changes are removing other accounts like "Interactive Users" from the ACE.   But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax  I wasn't aware that I could control the permissions on any file that I want through GPO
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 24

Expert Comment

by:yo_bee
ID: 37819095
This is a very bad idea.  I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.
0
 
LVL 1

Author Comment

by:AManoux
ID: 37819169
For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.
0
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 2000 total points
ID: 37819219
Absolutely. Computer - Policies - Windows - Security - File System
Rt click in the right empty pane and add new file or folder and set perms.

I totally agree that giving this folder access is frowned upon and not very secure, but in a locked down environment, sometimes thats the only way to get things working.
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 37819222
Are we giving or removing default settings?
That is my concern.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question