Solved

run cacls command from GPO startup script

Posted on 2012-04-06
7
2,131 Views
Last Modified: 2012-04-11
I have a batch script that runs cacls commands to reset permissions on files in the system32 directory of an Win XP domain computer.   The script is run as a machine startup script from an Active Directory GPO.   The script is not working correctly when run from the GPO.  If I run the script as a domain admin on the computer directly it works correctly.  
1. Can CACLS be run under the local computer SYSTEM credentials correctly?
2. If yes to #1, then what can I do to enable debugging to see why it's not working.

Here's an example of a line in the script.
echo y| cacls %SystemRoot%\system32\at.exe /G Administrators:F System:F
0
Comment
Question by:AManoux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:yo_bee
ID: 37818235
Just out of curiosity doesn't these two accounts have full access?
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37818321
Why not just add the permissions using group policy?
0
 
LVL 1

Author Comment

by:AManoux
ID: 37818425
@yo_bee  I'm making permission changes to a multitude of files in the System32 directory.  Some of these permission changes are removing other accounts like "Interactive Users" from the ACE.   But yes, the two accounts I have listed in the example will remain as having full access.

@BlushiLomax  I wasn't aware that I could control the permissions on any file that I want through GPO
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 23

Expert Comment

by:yo_bee
ID: 37819095
This is a very bad idea.  I would not change or manipulate any the files or folders in %windir%\ at all.
This can result is adverse results.

I think others will agree with me here.
0
 
LVL 1

Author Comment

by:AManoux
ID: 37819169
For high risk computers like those in public libraries, or any public kiosk, or stre point of sale register, it might be necessary to lock down as many attack points as possible.
0
 
LVL 7

Accepted Solution

by:
BelushiLomax earned 500 total points
ID: 37819219
Absolutely. Computer - Policies - Windows - Security - File System
Rt click in the right empty pane and add new file or folder and set perms.

I totally agree that giving this folder access is frowned upon and not very secure, but in a locked down environment, sometimes thats the only way to get things working.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37819222
Are we giving or removing default settings?
That is my concern.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question