Slashdot Mirror
Permanently Changing Windows XP Security Settings?
pnutjam asks: "I have googled and perused several publications seeking an answer but I find no mention of this problem anywhere. I am running applications not designed for a multi-user environment on Windows XP. To allow standard users to run these applications I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings. It doesn't happen when the users log off, only when the computers are rebooted." When adjusting Windows XP to support such applications, how do you make permission changes so that they survive through a reboot?
Methinks this question would be better asked on a Windows-XX specific site. Here, you're likely to get bombarded with flames.....
BTW, I have a subtle feeling that the TCO savings you get with XP server are because it is designed to be a pig to manage without it.
What do mean you allready knew that......before the product was even beta'd????????
And if you thought that was boring you obviously havn't read my Journal ;-)
Slashdot, News for Nerds. Stuff that matters.
Not all computer "nerds" run linux/bsd/etc and probably don't want to. Flame me away, but this is a technical news forum with a slant against anything microsoft/anti-gpl etc.
People grow up and just comment if you can help. I'm not a microsoft fanboy, but this ignorance, aggression and non-acceptance is really counter productive for the "community" you people aspire to have in life.
it would be nice if they had an "ask the pro's" section so I didn't have to see this type stuff. :-/
Get paid to code OSS
"Install *nix." ... and donate your game library to Salvation Army.
"Derp de derp."
Depending on how your users are set up, the default in XP Professional (or at least the Enterprise-level license that my employer uses, YMMV depending on how much your IT department trusts lusers) is for users NOT to have local Admin Rights. Upon rebooting, file permissions would be reset from the Active Directory database- and I'd expect exactly this kind of behavior.
Failing that, I'd have to examine your source, perhaps you aren't actually persisting the ADSI object properly to save to the Active Directory database?
Finally, I agree with previous posters- an Open Source website is no place to ask random support questions for a closed source OS.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
dont reboot ??
oh wait..
"Random fucking Windows fucking technical support? What the hell is going on here? Really... this place used to be Slashdot... "
"Today's Slashdot story was, without a doubt, the worst submission ever. Rest assured that I was on the Internet within minutes, registering my disgust throughout the world. As a loyal reader, I feel Slashdot owes me."
"Derp de derp."
Slashdot Sig. version 0.1alpha. Use at your own risk.
Set up a domain, then set up group policies.
Done and done.
"Moderate drinking can help prevent amputated limbs" -- Abigail Zuger, NYTimes, 12/31/02
Hey, let's post an Ask Slashdot question asking about Windows XP security/settings, and fail to mention:
1) What application we're using that requires these settings.
2) What our user setup is like. Are the users in the "Users" group, or the "Administrators" group? Are they part of the local machine, or a networked setup of users?
3) Where this application is being installed to. Have we tried other locations? What permissions does it need?
4) What you are doing exactly to remove permissions; what users/groups?
Maybe with the details, we can provide a more proper answer. K thanks bye.
Not All Who Wander Are Lost
This isn't really a fix, but it is a way around your problem. Set up a script using WMI to change all your permissions, shares and registry entries. Place the script in the startup folder and forget about it.
/ scriptc enter/sampscr.mspx
Download the script samples and modify as necessary from:
http://www.microsoft.com/technet/community
machinator omnis sine licentia
GPO's are there for this purpose. If you can't afford licensing then I'd say you need to read up on VB scripting.
Don't get me wrong, I'm not saying you need to become a genious in it to do this stuff... but not knowing GPO's and VBS is like not knowing RC's and #!/bin/sh.
Create a login script to reapply the necessary security settings (WMI/VBScript) each time a user logs in. You might only need it every reboot, but the user has to log in after a reboot, so this approach should cover all the bases.
NO CARRIER
Why don't you try running it in VMWare?
In case you don't know, it will allow you to run a completely virtual machine. You can run Linux, 98, NT, XP, whatever you want, even simultaneously. The nice thing is that you can even take a snapshot and easily restore the whole system to the exact point when you saved it. You can even take a snapshot of a booted system, and when you restore it, it'll already be booted.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
The company I work for uses Netifice as it's VPN provider and when you install Netifice SmartWorX on Windows XP Pro it disables the friendly welcome screen and fast user switching. If you try and re-enable this stuff it says the Cisco VPN service is preventing this from being changed. The checkbox that lets you select whether or not users have to use Ctrl-Alt-Delete to logon to the PC is checked and greyed out so the choice cannot be toggled.
Wish I could tell you more than that. It's a start I guess.
Upon rebooting, file permissions would be reset from the Active Directory database- and I'd expect exactly this kind of behavior.
Uhh, just exactly when did Microsoft move file system rights out of NTFS and into Active Directory?
If that's true, then boy, do I feel like Rip Van Winkle...
Likely changes are being made to permissions in the registry permissions on your machine due to security policy, which is implemented on the machine when it is turned on. You'll want to edit things that you want to change in the Control Panel, under Administrative Tools, in the icon that says "Local Security Policy" and I apologize for my compatriots who have been less than kind...
> Not all computer "nerds" run linux/bsd/etc and probably don't want to.
./ editors, the majority of visitors here are running Windows.
In fact, according to the
When I first read this ask-for-help I thought it was a linux guy having a troll.
I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings.
Windows does not alter ACL's (access control lists) on files or folders at boot time. It is possible that you or someone else has configured a startup process or logon script (under Win2X active directory, computers can have logon scripts) that repermissions folders or files. I suggest either a full audit of the logon process or a rebuild to a standard windows (with latest patches, see www.windowsupdate.com).
Registry settings by default are not altered by the startup/shutdown process, but again there may be a group policy or logon script attached to the object in AD somehow that is launching a permissioning process, or inheriting a new registry hive, although this is exceedingly unlikely. Again, a complete rebuild would solve this.
If you do the rebuild and it does not help, check with your application support. From my 7 years of Windows drudgery and experience, 75% or more of "Windows" problems come from third party apps or PEBKACs.
If you're unwilling to do the build or the application support people can't help you, contact Microsoft. They're very expensive, but they are very good at what they do, despite what the Slashdot crowd would have you believe.
I am government man, come from the government. The government has sent me. -- G.I.R.
Group Policy Edit: GpEdit.msc. Enter that in Run... or in a DOS window.
The whole system is very sloppy and very poorly documented, in my experience.
I had the same problem -- I had a program that had to be installed by an Administrator, but I had to change the permissions on all the files for certain people and/or groups to use them. My app had to run on Windows XP and 2K.
I Googled and found out about a command named "cacls". It can be used from the command line to change all the permission settings on any files or folders to allow any users or groups to use it.
I'll leave it up to others to post more information on this, since I don't have the info in front of me and since this seems like too easy a question for Ask Slashdot (perhaps another Ask SlashGoogle?) -- unless I completely misunderstand the question.
try asking this question at experts exchange. You'll find people there will be much more helpful with this issue.
Those with experience know that if you have a difficult Microsoft technical support question, it is better to ask the Psychic Friends Network. They don't know the answer either, but they are more friendly and less expensive.
I've asked 3 questions of MS Tech support recently, and got 0.00 useful answers. For anyone who would like more accuracy in that number, it was 0.00000000000 useful answers.
Microsoft technical support people not only cannot answer your question, but they are prevented by the Microsoft management hierarchy from communicating with anyone who would know the answer.
Also, permissions policy in NTFS has some bugs, apparently. (Mentioned by someone else, earlier. I've encountered quirkiness, also.) There is at least one policy setting in Windows XP that says, "Only works in Windows 2000".
Often a commercial company will not tell the truth about bugs. That's why I like Open Source people. They are honest about bugs. I reported 3 bugs in the NET USE command in Windows XP, and Microsoft Technical Support refused to do anything about it. Too much paperwork to report bugs, I guess.
Also, check out 825751 - HOW TO: Use Xcacls.vbs to Modify NTFS Permissions. Works from a command line, and can run at startup.
But, only the old version, Xcacls.exe, is freely available. It is necessary to contact MS Technical Support for the latest version. If you get it, send it to me:
jennings_michael
AT
Hotmail
DOT
com
Sometimes MS requires you to have an "MS Passport" to get technical support, so that is the address I use. Hotmail is, however, a cesspool of unwanted email, so I don't usually use it for anything else.
Dunno if anyone suggested that, but it seems reasonable to me. Had a few drinks though, make sure you have a grain of salt handy. ;)
My place of work solved this any many other problems with Deep Freeze. This has been a godsend. There are some other products, but the names escape me.
That feature helps people avoid the complexity of ACL management that NT is capable of but I suspect it might be exactly the thing that resets your changes when rebooting.
I haven't tested this claim though, this is just a suggestion.
Group Policy allows you to override permissions onto NTFS objects, registry keys, and even Active Directory objects. GPOs are stored in Active Directory.
Yikes! When did that come out? Is it stable?
I know that Novell has always resisted the temptation to move file permissions out of the NetWare file system and into Novell Directory Services simply because the file system permission structure is so massive and would bog down the directory tremendously. [You usually get just a single file system volume object in the NDS tree, but I've never seen NDS overrides of local file system permissions.]
And Novell has dynamic inheritance of both file system permissions and directory permissions; I can only imagine what a ghastly mess this would be in the Microsoft world where both NTFS and Active Directory are crippled by static permisssions.
Anybody have any experience with this stuff?
More help. The documents are a mess, with contradictory statements and errors, and scattered information. Supposedly, all of these documents apply to Windows XP. At least that's what I was told by MS tech. support.
Introduction to Windows 2000 Group Policy
Understanding Group Policies on Windows Server 2003
Windows XP Group Policies
325388 Support WebCast: Windows 2000: Group Policy
298444 A Description of the Group Policy Update Utility
I think he is speaking of local group policy, which does not require Active Directory, but can use it for policy enforcement.
I believe AD just maintains a database of policies available on local machines.
start => run => mmc
.inf
/configure /cfg myfile.inf /db myfile.sdb /log myfile.log
...where "%windir%" is the windows install dir... i.e. C:\windows or C:\winnt
/server.
file => add snap-in
add => security templates
set your file / registry / services info in the template. save it as
then apply the template
secedit
that will compile the inf into a sdb [security db], and apply it. any result will be written to the log. by convention...
sdb location:
%windir%\security\Database
logs:
%windir%\security\logs
inf:
%windir%\security\templates
bonus: the templace [myfile.inf] can then be copied and applied to any other win2k+ workstation
/E argument is ignored unless it is at the end of the line.
/e argument allows you to edit the ACL instead of replacing the existing permissions with your entry. Here /e and /E are interchangable, as in most (but not all) MS commandline utilities as a consequence of smashing case.
This directly contradicts the documentation, which shows the option arguments preceding the file/path arguments.
The
Notwithstanding all of the above, the right way to permanently change the permissions is with a global policy.
Assembly is the reverse of disassembly.
Look at your local and domain policies.
I forget exactly where it is but, by default, domain computer policy on W2K(which you say you are running in another thread) specifies that permissions be reset on a number of directories.
Microsoft sells this for money? It wants us all to be using this? How is this a useful feature? Why is it designed this way? Why does an OS put obstacles like this in front of its users?
Stick Men
I agree with most at slashdot that your delima is confusing. Windows does not overwrite access rights, they are reserved. We will need more details to answer your exact problem.
But, if you are interested, in another solution, about 8-9 years ago I worked for a non-profit organization. To protect us from overusing licesnes, I created batch files for people to run (instead of directly using the executable). The batch file would look in a boxoffice folder to see if there was a ticket available (e.g. wp51_001.tkt, wp51_002.tkt, etc) if it wasn't availble, it would say "sorry not enough licenses available" & not allow the person to run the program. If it was available, it would copy the ticket over to an inuse folder & execute the program. When the user is finished, the program would copy the ticket file back. You could probably whip something up in a couple of hours. Most users will take the given icon to click on to run the program. The only downside is that if people cancel out the program then the ticket will still be listed in use when it is not. But that is easily resolved by copying the ticket back.
And who are we to argue?
Stick Men
You can use a batch file that runs when windows starts and use the CACLS command line to change permissions... i havent used CACLS in like 6 months but if you just type it into CMD with no parameters you can get the usage; i dont remember it bein super difficult.
Why not here? The fact that running XP realisticly in a real-time environment is a major PITA may not be new news, but it's still news worthy. I'm in education and I have lost track of the number of software apps that XP killed on me. Who cares if they have a compatibility tool kit? Who has time for that?
The point is, the policies are ok if they are an option, note that not too many ppl used them in Win95/98. Now everyone is forced to use them. Mr gates decided how everyone should run their business, school whatever, without really thinking out HOW we use them.
Elem school CDs - those little reader rabbits and what not - all dead! Half our databases needed tweaking. Sure, we have to wait for the software vendors to get up to speed with ms, takes months! In the meantime, you find a reasonable workaround, or you don't use it anymore.
Even something a fairly new and robust as a palm pilot - even the default XP built in ordinary users policies - the users can't install the palm software, requiring an admin to do something they should be able to do for themselves. But as an admin, you can't install an outlook policy for another user!!!!! What to do? We add the user as an admin to local machine, install the palm sw, put the user back to ordinary, log in as us and go to the palm folder, ensure "Authenticated Users" has full control of the palm folder (or minimum of Read/Exe - depends on if the app writes or not)- then everything works!!
We use Authenticated Users added to just about everything to get past our XP annoyances. In NT world it was "Everyone". I found that doesn't work so well. I have managed to add AU to just one file that a program has installed - and in a very weird one, I had to add it the shortcuts with full control - go figure XP - to get things working. I know one guy who allows full access to the C: Drive via group policy, but then hides the C: drive as another solution, but more pop ups that way. My way also doesn't stop most of those little pop-up and malicious web page trojans from coming through! The companies that write that garbage could care less about ms rules, I'm sure they do all they can to get around it.
I tried to install Quake 3 Gold on my XP Pro PC and even though the installation completed sucessfully, I couldn't get any updates or be able to update my Punkbuster installation because of a 'Default Behavior' on the primary partition.
k b; EN-US;326549
Look up Microsoft KB article 326549 for a workaround.
http://support.microsoft.com/default.aspx?scid=
From what I've read, this 'feature' was enabled due to more and more viruses installing them selves and propagating on systems that didn't have a 'read-only' tag on the system.
Personally, I think it's one of the dumber ideas for an operating system since there's not a workaround for power users of XP who know how to tweak their systems properly.
Dolemite
__________________
Save the World! Use a Quote!
To save Wresteling with File Permissions, why not Convert/Re-install windows on a FAT32 Partition Instead of NTFS
Because you only asked '3' questions, you can only have 1 significant digit of accuracy, thus you got '0' useful answers. Adding extra digits after the decimal point doesn't add accuracy, it just shows you didn't pay attention in highschool science class.
Also, as mentioned here often, I believe 'anecdotes is not the plural of data'.
And given the HUGE deployment of windows 2000 and windows xp vs. the relatively miniscule deployment of it's competitors, I'm willing to wager that the 'bugs' your filed in 'net use' were actually screwups on your end, and not product defects. And I'm also willing to wager that they are documented in the MSKB.
er..
Does that mean that most Microsoft problems would be solved if no one used them for anything? WTF can you do with a M$ OS without any "third party" application? Lookout without a spell check, MSIE? Sure, but by using those first party applications you will end up with a third party like Gator in no time. The other idea, removing the user, sounds much more productive. In support of your idea, I propose you move all of your users to a rational OS and spare yourself further drudgery.
I moved myself five years ago and life has been easier.
Friends don't help friends install M$ junk.
if you are changing the reg won't you also have to turn off system restore. ( i hope you already tried this...)
make it a dating service. i am a 19 year old male linux user looking for a a nice woman to make.... code with.. lol
to be user friendly?
No wonder Microsoft is paying for jerkwads to write
books whos content will cause open sores on the author's complexion for the rest of his life.
'Course, it's his fuckup for taking the money for writing trash in the first place.
So much for simple