Click here to get back home

c:\ drive permissions
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
c:\ drive permissions Nathan 06-23-2005
Posted by Nathan on June 23, 2005, 5:10 pm
Please log in for more thread options
 The Desktop team in our department has been deploying PC's with the C:\
drive
permissions changed. They thought it would be convenient for the user if
everyone had full control of the entire c:\ drive.
I now need to return the c:\ drive permissions back to winxp standard. If I
go the advances security tab for the c:\ drive and edit the permissions for
the "everyone" group and change the "Everyone" permission to:
Traverse Folder / Execute File
List folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
I then Select "This Folder Only" in the "Apply onto" drop down menu.
Now the sub directories now longer inherit the "everyone" group permissions.

Since I need this done on several hundred PC's I have been testing
subinacl.exe
I ran the following command on a fresh winxp install to get a backup of the
default c:\ drive permissions:
subinacl /noverbose /output=c:\aclbackups.txt /file c:\

I then ran "subinacl /playfile c:\aclbackups.txt" on a PC that had the c:\
permissions changed.
The command changed the c:\ permissions back to base winxp c:\ drive
permissions but the sub folders still had inherited the "everyone" group
full
control. On the advanced permissions tab of a sub directory the "Inherited
From" section showed "Parent Object" instead of "C:\"

Any ideas on how I can change the C:\ drive and sub directories back to
winxp base permissions would be greatly appreciated.
Thanks
Nathan





Posted by Steven L Umbach on June 24, 2005, 12:02 am
Please log in for more thread options
 Try using Group Policy to apply the rootsec.inf security template to those
computers via Group Policy. However do NOT do this at the domain level but
instead move the computers into an OU, even if just temporarily, to do such.
Create a test OU with such Group Policy linked to it and move a few
computers into it to see if it works as expected. Reboot the computers or
use gpupdate to speed up the application of that Group Policy. If you do
roll it out, remove or unlink that GPO that has the rootsec.inf template
imported into it after all the computers have been updated so that the
computers will not be refreshing those ntfs settings as once they are
applied then they will stay unless modified by another GPO or
nually. --- Steve


> The Desktop team in our department has been deploying PC's with the C:\
> drive
> permissions changed. They thought it would be convenient for the user if
> everyone had full control of the entire c:\ drive.
> I now need to return the c:\ drive permissions back to winxp standard. If
> I
> go the advances security tab for the c:\ drive and edit the permissions
> for
> the "everyone" group and change the "Everyone" permission to:
> Traverse Folder / Execute File
> List folder / Read Data
> Read Attributes
> Read Extended Attributes
> Read Permissions
> I then Select "This Folder Only" in the "Apply onto" drop down menu.
> Now the sub directories now longer inherit the "everyone" group
> permissions.
>
> Since I need this done on several hundred PC's I have been testing
> subinacl.exe
> I ran the following command on a fresh winxp install to get a backup of
> the
> default c:\ drive permissions:
> subinacl /noverbose /output=c:\aclbackups.txt /file c:\
>
> I then ran "subinacl /playfile c:\aclbackups.txt" on a PC that had the c:\
> permissions changed.
> The command changed the c:\ permissions back to base winxp c:\ drive
> permissions but the sub folders still had inherited the "everyone" group
> full
> control. On the advanced permissions tab of a sub directory the "Inherited
> From" section showed "Parent Object" instead of "C:\"
>
> Any ideas on how I can change the C:\ drive and sub directories back to
> winxp base permissions would be greatly appreciated.
> Thanks
> Nathan
>
>
>




Posted by Roger Abell [MVP] on June 24, 2005, 11:34 pm
Please log in for more thread options
I really, really hope you have found someone to whom they can relate
that is willing to tell them what a very, totally dumb idea that was.

The default permissions on XP are highly varied, and are best rest by
application of a template used in install, either as Steve points out or
the filesystem section of "setup security.inf" or even defaultwk.inf.

What you will need to address is why they found the path of least effort
(grant Everyone Full) needed. This is likely because they were having
problems with some applications running with the default NFTS settings.
Oftern adjustment so Users group will have change on the application's
installation folder is sufficient, while at others one also must adjust the
applications keys in the registry (and sometimes other deltas need to
be used)

While I referred to it as a really dumb idea, it is in fact just making
XP NTFS act like the client machines were still Win9x, so it is not
as though they had been without example.

--
Roger Abell
Microsoft MVP (Windows Server: Security)
MCDBA, MCSE W2k3+W2k+Nt4
> The Desktop team in our department has been deploying PC's with the C:\
> drive
> permissions changed. They thought it would be convenient for the user if
> everyone had full control of the entire c:\ drive.
> I now need to return the c:\ drive permissions back to winxp standard. If
> I
> go the advances security tab for the c:\ drive and edit the permissions
> for
> the "everyone" group and change the "Everyone" permission to:
> Traverse Folder / Execute File
> List folder / Read Data
> Read Attributes
> Read Extended Attributes
> Read Permissions
> I then Select "This Folder Only" in the "Apply onto" drop down menu.
> Now the sub directories now longer inherit the "everyone" group
> permissions.
>
> Since I need this done on several hundred PC's I have been testing
> subinacl.exe
> I ran the following command on a fresh winxp install to get a backup of
> the
> default c:\ drive permissions:
> subinacl /noverbose /output=c:\aclbackups.txt /file c:\
>
> I then ran "subinacl /playfile c:\aclbackups.txt" on a PC that had the c:\
> permissions changed.
> The command changed the c:\ permissions back to base winxp c:\ drive
> permissions but the sub folders still had inherited the "everyone" group
> full
> control. On the advanced permissions tab of a sub directory the "Inherited
> From" section showed "Parent Object" instead of "C:\"
>
> Any ideas on how I can change the C:\ drive and sub directories back to
> winxp base permissions would be greatly appreciated.
> Thanks
> Nathan
>
>
>




Similar ThreadsPosted
Windows 2003 Shared Drive Permissions October 9, 2007, 7:14 am
Shared drive VS Security September 19, 2005, 4:22 pm
hide administrative drive November 1, 2005, 11:00 pm
Deny install on c:\ drive December 10, 2005, 4:43 pm
Can't run 16 bit app from network drive in W2003 SP1 January 30, 2006, 5:09 pm
Drive Access Restriction April 20, 2006, 12:33 am
Drive access to particular user December 3, 2006, 7:54 am
CDROM Drive access denied October 31, 2005, 10:40 am
Not able to view secondary hard drive January 11, 2006, 9:53 am
Secrity applications that run on USB flash drive April 29, 2006, 11:06 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap