|
Posted by Roger Abell [MVP] on March 8, 2007, 10:23 am
Please log in for more thread options
1) Use secedit to apply a template
To form the template, when you save it from the templates snapin
there will be a dacl and sacl, but you may use text editor to remove
the dacl (D part) so that the template will apply only the sacl
2) Get xcacls.vbs (note: .vbs) from microsoft.com/downloads
This only handles DACLs, but the syntax is effectively the same
so this examples everything you can do to a dacl, and you only
need to alter coded sampled from it slightly to target sacls instead
3) IIRC SetAcl obtainable at sourceforge.net can manipulate sacls
I do agree with the difficulties you mention when forming a filesystem
lockdown due to the way MS has shipped the dacl'ing on Windows.
However, IIRC the sacl'ing inheritance is separate from for dacl
(it is in the dacl or sacl, not in the header part of the sd).
> Is it possible to set up auditing on files from the command line? Our
> installation of W2k3 server is all scripted, but we can't seem to get
> the auditing to set properly. We can get it to set on C and some of
> the subdirectories by telling the template to pass the audit setting
> down to all inherited, but for whatever reason MS decided to really
> break up the inheritance in several other directories (like D&S,
> Program files and especially Windows)
>
> Thanks!
> Mike
| 
XML Sitemap