Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Sequence of icacls to permit specific user but deny all users access to a file

C:\Windows\System32>icacls mstsc.exe
mstsc.exe BPROD\GOPO:(RX)
          NT SERVICE\TrustedInstaller:(F)
          BUILTIN\Administrators:(RX)
          NT AUTHORITY\SYSTEM:(RX)

I know how to use "icacls mstsc.exe /deny  builtin\users:(RX)"
& removing selected ACL from a file but no matter what's the sequence of
issuing  /grant  or  /deny   or   /remove    that I try,  the acl for  builtin\users
always is on top of  BPROD\GOPO.

My purpose is to place BPROD\GOPO (& a few end-user support guys domain
ids to be on top) & then deny all builtin users so that other domain users (other
than the few end-user support guys) can't access mstsc.

I've also tried issuing the  /grant  enduser_id:(RX)   /deny  builtin\users:(RX)
on a single line but the builtin deny acl still goes on top.  I'm assuming the
ACLs are checked in a top-down sequence
SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

Mind elaborating step by step (& command by command) how to create groups & 
assign using icacls ?
I only now notice the MSTSC.exe part of question.
Even though previous statement is true, you are better of doing this via AppLocker
Check this video https://www.youtube.com/watch?v=SFIZxe6U0E0. If video doen't make sense let me know
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

I can't use Applocker on Windows 7 Professional : it's only Win 7 Premium
Avatar of sunhux

ASKER

> You need to use two groups, create one (do not use users, GOPO users are members of it)
Mind giving the exact steps / commands to do the above?  Thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can always just create an outbound firewall rule for MSTSC.exe that is only allowed for certain users