sunhux
asked on
Sequence of icacls to permit specific user but deny all users access to a file
C:\Windows\System32>icacls mstsc.exe
mstsc.exe BPROD\GOPO:(RX)
NT SERVICE\TrustedInstaller:( F)
BUILTIN\Administrators:(RX )
NT AUTHORITY\SYSTEM:(RX)
I know how to use "icacls mstsc.exe /deny builtin\users:(RX)"
& removing selected ACL from a file but no matter what's the sequence of
issuing /grant or /deny or /remove that I try, the acl for builtin\users
always is on top of BPROD\GOPO.
My purpose is to place BPROD\GOPO (& a few end-user support guys domain
ids to be on top) & then deny all builtin users so that other domain users (other
than the few end-user support guys) can't access mstsc.
I've also tried issuing the /grant enduser_id:(RX) /deny builtin\users:(RX)
on a single line but the builtin deny acl still goes on top. I'm assuming the
ACLs are checked in a top-down sequence
mstsc.exe BPROD\GOPO:(RX)
NT SERVICE\TrustedInstaller:(
BUILTIN\Administrators:(RX
NT AUTHORITY\SYSTEM:(RX)
I know how to use "icacls mstsc.exe /deny builtin\users:(RX)"
& removing selected ACL from a file but no matter what's the sequence of
issuing /grant or /deny or /remove that I try, the acl for builtin\users
always is on top of BPROD\GOPO.
My purpose is to place BPROD\GOPO (& a few end-user support guys domain
ids to be on top) & then deny all builtin users so that other domain users (other
than the few end-user support guys) can't access mstsc.
I've also tried issuing the /grant enduser_id:(RX) /deny builtin\users:(RX)
on a single line but the builtin deny acl still goes on top. I'm assuming the
ACLs are checked in a top-down sequence
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I only now notice the MSTSC.exe part of question.
Even though previous statement is true, you are better of doing this via AppLocker
Check this video https://www.youtube.com/watch?v=SFIZxe6U0E0. If video doen't make sense let me know
Even though previous statement is true, you are better of doing this via AppLocker
Check this video https://www.youtube.com/watch?v=SFIZxe6U0E0. If video doen't make sense let me know
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't use Applocker on Windows 7 Professional : it's only Win 7 Premium
ASKER
> You need to use two groups, create one (do not use users, GOPO users are members of it)
Mind giving the exact steps / commands to do the above? Thanks
Mind giving the exact steps / commands to do the above? Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can always just create an outbound firewall rule for MSTSC.exe that is only allowed for certain users
ASKER
assign using icacls ?