Automating file permission amendments ?

[BertieBigBollox]

Trying to lock down a windows 2000 server machine so that the end user
does not have access to certain facilites (e.g. regedit).

Unfortunately, we've tried deleting the files in question, but Windows
File Protection replaces them. On SP4, its also a little difficult to
disable this.

So, another idea is to change the permissions on the files so that only
admin has access (end user does not have admin access). Will this work?
Or will WFP change the access rights back as well?

If we can do this, is there any way to automate setting, say, 20 files
to these permissions without having to manually change the permissions
individually? Like a batch file or something? (Got lots of machines to
do).

 

[Pegasus \(MVP\)]

Trying to lock down a windows 2000 server machine so that the end user
does not have access to certain facilites (e.g. regedit).

Unfortunately, we've tried deleting the files in question, but Windows
File Protection replaces them. On SP4, its also a little difficult to
disable this.

So, another idea is to change the permissions on the files so that only
admin has access (end user does not have admin access). Will this work?
Or will WFP change the access rights back as well?

If we can do this, is there any way to automate setting, say, 20 files
to these permissions without having to manually change the permissions
individually? Like a batch file or something? (Got lots of machines to
do).

Windows File Protection runs most likely under the System account,
hence if you include this account in your permissions you won't
cause a problem.

@echo off
cacls %SystemRoot%\system32\regedit.exe /e /r "domain users" /d SomeUser /g
system:F
cacls %SystemRoot%\system32\eventvwr.exe /e /r "domain users" /d SomeUser /g
system:F
etc.

You have to check your current permissions to come up with
the correct switches. When you get it right, run the batch file
from your own machine, using psexec.exe (www.sysinternals.com).

 

[BertieBigBollox]

Windows File Protection runs most likely under the System account,
hence if you include this account in your permissions you won't
cause a problem.

@echo off
cacls %SystemRoot%\system32\regedit.exe /e /r "domain users" /d SomeUser /g
system:F
cacls %SystemRoot%\system32\eventvwr.exe /e /r "domain users" /d SomeUser /g
system:F
etc.

You have to check your current permissions to come up with
the correct switches. When you get it right, run the batch file
from your own machine, using psexec.exe (www.sysinternals.com).

Thansk for the help.

Could I use :-

cacls <filename> /d <groupname>

or do I have to specify exact user name?

Can u use wildcards to specify ALL users ?

 

[Pegasus \(MVP\)]

Thansk for the help.

Could I use :-

cacls <filename> /d <groupname>

or do I have to specify exact user name?

Can u use wildcards to specify ALL users ?

You can use user names or group names.
Wildcards are not acceptable.
"Everyone" is a valid group.

 

[BertieBigBollox]

You can use user names or group names.

Wildcards are not acceptable.
"Everyone" is a valid group.

Thanks one again.

So could I deny "Everyone" access and then explicitly grant access to a
user called "admin" (or by denying everyone I'd lose the right to
change permissions for all users including admin ?)

 

[Pegasus \(MVP\)]

Thanks one again.

So could I deny "Everyone" access and then explicitly grant access to a
user called "admin" (or by denying everyone I'd lose the right to
change permissions for all users including admin ?)

Denying access to "everyone" is not a good idea, for
the reasons you mention. You can actually recover
from this situation by seizing ownership of the folder.