Slashdot Mirror
Permanently Changing Windows XP Security Settings?
pnutjam asks: "I have googled and perused several publications seeking an answer but I find no mention of this problem anywhere. I am running applications not designed for a multi-user environment on Windows XP. To allow standard users to run these applications I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings. It doesn't happen when the users log off, only when the computers are rebooted." When adjusting Windows XP to support such applications, how do you make permission changes so that they survive through a reboot?
BTW, I have a subtle feeling that the TCO savings you get with XP server are because it is designed to be a pig to manage without it.
What do mean you allready knew that......before the product was even beta'd????????
And if you thought that was boring you obviously havn't read my Journal ;-)
Hey, let's post an Ask Slashdot question asking about Windows XP security/settings, and fail to mention:
1) What application we're using that requires these settings.
2) What our user setup is like. Are the users in the "Users" group, or the "Administrators" group? Are they part of the local machine, or a networked setup of users?
3) Where this application is being installed to. Have we tried other locations? What permissions does it need?
4) What you are doing exactly to remove permissions; what users/groups?
Maybe with the details, we can provide a more proper answer. K thanks bye.
Not All Who Wander Are Lost
This isn't really a fix, but it is a way around your problem. Set up a script using WMI to change all your permissions, shares and registry entries. Place the script in the startup folder and forget about it.
/ scriptc enter/sampscr.mspx
Download the script samples and modify as necessary from:
http://www.microsoft.com/technet/community
machinator omnis sine licentia
GPO's are there for this purpose. If you can't afford licensing then I'd say you need to read up on VB scripting.
Don't get me wrong, I'm not saying you need to become a genious in it to do this stuff... but not knowing GPO's and VBS is like not knowing RC's and #!/bin/sh.
Create a login script to reapply the necessary security settings (WMI/VBScript) each time a user logs in. You might only need it every reboot, but the user has to log in after a reboot, so this approach should cover all the bases.
NO CARRIER
Likely changes are being made to permissions in the registry permissions on your machine due to security policy, which is implemented on the machine when it is turned on. You'll want to edit things that you want to change in the Control Panel, under Administrative Tools, in the icon that says "Local Security Policy" and I apologize for my compatriots who have been less than kind...
When I first read this ask-for-help I thought it was a linux guy having a troll.
I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings.
Windows does not alter ACL's (access control lists) on files or folders at boot time. It is possible that you or someone else has configured a startup process or logon script (under Win2X active directory, computers can have logon scripts) that repermissions folders or files. I suggest either a full audit of the logon process or a rebuild to a standard windows (with latest patches, see www.windowsupdate.com).
Registry settings by default are not altered by the startup/shutdown process, but again there may be a group policy or logon script attached to the object in AD somehow that is launching a permissioning process, or inheriting a new registry hive, although this is exceedingly unlikely. Again, a complete rebuild would solve this.
If you do the rebuild and it does not help, check with your application support. From my 7 years of Windows drudgery and experience, 75% or more of "Windows" problems come from third party apps or PEBKACs.
If you're unwilling to do the build or the application support people can't help you, contact Microsoft. They're very expensive, but they are very good at what they do, despite what the Slashdot crowd would have you believe.
I am government man, come from the government. The government has sent me. -- G.I.R.
Group Policy Edit: GpEdit.msc. Enter that in Run... or in a DOS window.
The whole system is very sloppy and very poorly documented, in my experience.
I had the same problem -- I had a program that had to be installed by an Administrator, but I had to change the permissions on all the files for certain people and/or groups to use them. My app had to run on Windows XP and 2K.
I Googled and found out about a command named "cacls". It can be used from the command line to change all the permission settings on any files or folders to allow any users or groups to use it.
I'll leave it up to others to post more information on this, since I don't have the info in front of me and since this seems like too easy a question for Ask Slashdot (perhaps another Ask SlashGoogle?) -- unless I completely misunderstand the question.
try asking this question at experts exchange. You'll find people there will be much more helpful with this issue.
For further clarification I am running an Active Directories domain with a windows 2000 server. I am migrating my workstations from windows 98 to XP.
The specific applications giving me problems are AutoCAD 2000 (support has been discontinued, owner won't upgrade), and a custom application that writes data to several folders I'd rather it didn't.
Cheap storage VM.
Those with experience know that if you have a difficult Microsoft technical support question, it is better to ask the Psychic Friends Network. They don't know the answer either, but they are more friendly and less expensive.
I've asked 3 questions of MS Tech support recently, and got 0.00 useful answers. For anyone who would like more accuracy in that number, it was 0.00000000000 useful answers.
Microsoft technical support people not only cannot answer your question, but they are prevented by the Microsoft management hierarchy from communicating with anyone who would know the answer.
Also, permissions policy in NTFS has some bugs, apparently. (Mentioned by someone else, earlier. I've encountered quirkiness, also.) There is at least one policy setting in Windows XP that says, "Only works in Windows 2000".
Often a commercial company will not tell the truth about bugs. That's why I like Open Source people. They are honest about bugs. I reported 3 bugs in the NET USE command in Windows XP, and Microsoft Technical Support refused to do anything about it. Too much paperwork to report bugs, I guess.
More help. The documents are a mess, with contradictory statements and errors, and scattered information. Supposedly, all of these documents apply to Windows XP. At least that's what I was told by MS tech. support.
Introduction to Windows 2000 Group Policy
Understanding Group Policies on Windows Server 2003
Windows XP Group Policies
325388 Support WebCast: Windows 2000: Group Policy
298444 A Description of the Group Policy Update Utility
start => run => mmc
.inf
/configure /cfg myfile.inf /db myfile.sdb /log myfile.log
...where "%windir%" is the windows install dir... i.e. C:\windows or C:\winnt
/server.
file => add snap-in
add => security templates
set your file / registry / services info in the template. save it as
then apply the template
secedit
that will compile the inf into a sdb [security db], and apply it. any result will be written to the log. by convention...
sdb location:
%windir%\security\Database
logs:
%windir%\security\logs
inf:
%windir%\security\templates
bonus: the templace [myfile.inf] can then be copied and applied to any other win2k+ workstation
You may also want to check out this MS article about creating junction points. It's the "proper" way to link directories, but don't try anythong too complicated or you will just screw up NTFS. By complicated I mean trying to link different sub-directories inside linked directories.
While you're at MS, take a close look at LinkD on the 2K Resource Kit. That may be just the ticket for making that custom app run from a server or from a different directory. If you don't have the ResKit, you can grab LinkD and other tools from the free offerings from the ResKit. I've used it inside a batch file wrapper for onery custom apps that clients insist on. Be sure to have the batch file un-link the directory at the end or un-link it if it exists at startup. NTFS doesn't like to have a bunch of these around or mangled. Here's the LinkD syntax:
A tool to be careful with, but a handy one.US Democracy:The best person for the job (among These pre-selected choices...)
You can use a batch file that runs when windows starts and use the CACLS command line to change permissions... i havent used CACLS in like 6 months but if you just type it into CMD with no parameters you can get the usage; i dont remember it bein super difficult.