Permanently Changing Windows XP Security Settings? 78
pnutjam asks: "I have googled and perused several publications seeking an answer but I find no mention of this problem anywhere. I am running applications not designed for a multi-user environment on Windows XP. To allow standard users to run these applications I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings. It doesn't happen when the users log off, only when the computers are rebooted." When adjusting Windows XP to support such applications, how do you make permission changes so that they survive through a reboot?
Re:No no no no! (Score:5, Insightful)
Not all computer "nerds" run linux/bsd/etc and probably don't want to. Flame me away, but this is a technical news forum with a slant against anything microsoft/anti-gpl etc.
People grow up and just comment if you can help. I'm not a microsoft fanboy, but this ignorance, aggression and non-acceptance is really counter productive for the "community" you people aspire to have in life.
Re:No no no no! (Score:2, Offtopic)
Re:No no no no! (Score:4, Funny)
"Today's Slashdot story was, without a doubt, the worst submission ever. Rest assured that I was on the Internet within minutes, registering my disgust throughout the world. As a loyal reader, I feel Slashdot owes me."
You ask this question here? (Score:5, Insightful)
Re:You ask this question here? (Score:4, Funny)
This person is really asking is, "How do I circumvent the unreasonable policies of the unwashed Microsoft conscripts that have taken over all of the Intel hardware?" He further pleads, "I want to be liberated. But I must be careful. If I outright revolt, if I install OpenBSD, they will send to a re-education camp." Which is located at the Unemployment Centre. "I could sneek in Cygwin [cygwin.com], remain below the radar, boost my productivity, get promoted, and finally TAKE OVER THE WHOLE OF IT!BWAAAHA HA HA HA!
Sorry, got lost in the moment.
Authenticated Users (Score:2)
Why not here? The fact that running XP realisticly in a real-time environment is a major PITA may not be new news, but it's still news worthy. I'm in education and I have lost track of the number of software apps that XP killed on me. Who cares if they have a compatibility tool kit? Who has time for that?
The point is, the policies are ok if they are an option, note that not too many ppl used them in Win95/98. Now everyone is forced to use them. Mr gates decided how everyone should run their busines
Re:Authenticated Users (Score:1)
It wasn't news, despite what you think. A knowledge base article, yes, but not news.
Re:Authenticated Users (Score:2)
This ain't "News from Slashdot", it's "Ask Slashdot". If you have no interest in the question being asked, go look at something else.
Re:I'll say it.... (Score:3, Funny)
All you need is ........ (Score:3, Informative)
BTW, I have a subtle feeling that the TCO savings you get with XP server are because it is designed to be a pig to manage without it.
What do mean you allready knew that......before the product was even beta'd????????
Re:All you need is ........ (Score:2)
Are you sure you have Local Admin Rights? (Score:2, Interesting)
Failing that, I'd have to examine your source, perhaps you aren't actually persisting the ADSI object properly to save to the Active Direc
Say what? (Score:2)
Upon rebooting, file permissions would be reset from the Active Directory database- and I'd expect exactly this kind of behavior.
Uhh, just exactly when did Microsoft move file system rights out of NTFS and into Active Directory?
If that's true, then boy, do I feel like Rip Van Winkle...
Re:Say what? (Score:2)
Yikes! (Score:2)
Group Policy allows you to override permissions onto NTFS objects, registry keys, and even Active Directory objects. GPOs are stored in Active Directory.
Yikes! When did that come out? Is it stable?
I know that Novell has always resisted the temptation to move file permissions out of the NetWare file system and into Novell Directory Services simply because the file system permission structure is so massive and would bog down the directory tremendously. [You usually get just a single file system volume ob
local group policy (Score:2)
I think he is speaking of local group policy, which does not require Active Directory, but can use it for policy enforcement.
I believe AD just maintains a database of policies available on local machines.
Re:local group policy (Score:2)
Re:Yikes! (Score:2)
For instance, a common policy is to have %SYSTEMROOT% (e.g., C:\WINDOWS) set to be accessible only by the administrators of the machine (as well as SYSTEM, NETWORK SERVICE, and other pseudo-accounts). In the group policy editor, you specify that one entry, specify that it is inheritable and should rep
Re:Are you sure you have Local Admin Rights? (Score:4, Insightful)
And we have people who check stories for appropriateness for the site. They're called editors, and they all work with (or are) the folks who originally made the site.
Re:Are you sure you have Local Admin Rights? (Score:1)
Re:Are you sure you have Local Admin Rights? (Score:2)
uh... (Score:5, Funny)
oh wait..
Microsoft Tech Support. (Score:5, Funny)
Re:Microsoft Tech Support. (Score:3, Insightful)
Why's this funny? He's got a problem with software that cost a great deal of money, why the hell SHOULDN'T he call tech support? Seems like the first thing he should have done...
Re:Microsoft Tech Support. (Score:4, Funny)
Why's this funny? He's got a problem with software that cost a great deal of money, why the hell SHOULDN'T he call tech support? Seems like the first thing he should have done...
LOL! STOP! You're killing me!!!!
Better to call Psychic Friends Network (Score:5, Informative)
Those with experience know that if you have a difficult Microsoft technical support question, it is better to ask the Psychic Friends Network [karmak.org]. They don't know the answer either, but they are more friendly and less expensive.
I've asked 3 questions of MS Tech support recently, and got 0.00 useful answers. For anyone who would like more accuracy in that number, it was 0.00000000000 useful answers.
Microsoft technical support people not only cannot answer your question, but they are prevented by the Microsoft management hierarchy from communicating with anyone who would know the answer.
Also, permissions policy in NTFS has some bugs, apparently. (Mentioned by someone else, earlier. I've encountered quirkiness, also.) There is at least one policy setting in Windows XP that says, "Only works in Windows 2000".
Often a commercial company will not tell the truth about bugs. That's why I like Open Source people. They are honest about bugs. I reported 3 bugs in the NET USE command in Windows XP, and Microsoft Technical Support refused to do anything about it. Too much paperwork to report bugs, I guess.
Go back to school. (Score:2)
Also, as mentioned here often, I believe 'anecdotes is not the plural of data'.
And given the HUGE deployment of windows 2000 and windows xp vs. the relatively miniscule deployment of it's competitors, I'm willing to wager that the 'bugs' your filed in 'n
Re:Go back to school. (Score:2)
Why would his alleged screwups be in MacroShaft's KnowledgeBase? Boy, talk about covering your bets!
= 9J =
Domain (Score:2)
Done and done.
Re:Domain (Score:3, Informative)
The specific applications giving me problems are AutoCAD 2000 (support has been discontinued, owner won't upgrade), and a custom application that writes data to several folders I'd rather it didn't.
Re:Domain (Score:5, Informative)
You may also want to check out this [microsoft.com] MS article about creating junction points. It's the "proper" way to link directories, but don't try anythong too complicated or you will just screw up NTFS. By complicated I mean trying to link different sub-directories inside linked directories.
While you're at MS, take a close look at LinkD on the 2K Resource Kit. That may be just the ticket for making that custom app run from a server or from a different directory. If you don't have the ResKit, you can grab LinkD and other tools from the free offerings from the ResKit [microsoft.com]. I've used it inside a batch file wrapper for onery custom apps that clients insist on. Be sure to have the batch file un-link the directory at the end or un-link it if it exists at startup. NTFS doesn't like to have a bunch of these around or mangled. Here's the LinkD syntax:
A tool to be careful with, but a handy one.Re:Domain (Score:1)
Mr. Obscure! (Score:5, Informative)
1) What application we're using that requires these settings.
2) What our user setup is like. Are the users in the "Users" group, or the "Administrators" group? Are they part of the local machine, or a networked setup of users?
3) Where this application is being installed to. Have we tried other locations? What permissions does it need?
4) What you are doing exactly to remove permissions; what users/groups?
Maybe with the details, we can provide a more proper answer. K thanks bye.
Re:Mr. Obscure! (Score:3, Interesting)
Maybe that helps... In which case he got what he came looking for no matter how lame we think his question may have been. Maybe we should cut some
Re:Mr. Obscure! (Score:3, Insightful)
Tried it both ways. I like OSS as much as anybody on slashdot, right now, MS is what feeds the kids.
Re:Mr. Obscure! (Score:2, Insightful)
Would you actually be capable of answering his question if you had this information, or are you just posing a position to be 'helpful' to those that really can?
Use WMI (Score:3, Informative)
Download the script samples and modify as necessary from:
http://www.microsoft.com/technet/community
Policy Objects (Score:4, Informative)
Don't get me wrong, I'm not saying you need to become a genious in it to do this stuff... but not knowing GPO's and VBS is like not knowing RC's and #!/bin/sh.
Login script (Score:2, Informative)
Re:Login script (Score:2)
VMWare (Score:3, Interesting)
In case you don't know, it will allow you to run a completely virtual machine. You can run Linux, 98, NT, XP, whatever you want, even simultaneously. The nice thing is that you can even take a snapshot and easily restore the whole system to the exact point when you saved it. You can even take a snapshot of a booted system, and when you restore it, it'll already be booted.
Example: Netifice + Cisco VPN on XP does this (Score:1)
The company I work for uses Netifice as it's VPN provider and when you install Netifice SmartWorX on Windows XP Pro it disables the friendly welcome screen and fast user switching. If you try and re-enable this stuff it says the Cisco VPN service is preventing this from being changed. The checkbox that lets you select whether or not users have to use Ctrl-Alt-Delete to logon to the PC is checked and greyed out so the choice cannot be toggled.
Wish I could tell you more than that. It's a start I guess.
An ACTUAL Answer to your question (Score:5, Informative)
Group Policy Edit: GpEdit.msc. (Score:3, Informative)
Group Policy Edit: GpEdit.msc. Enter that in Run... or in a DOS window.
The whole system is very sloppy and very poorly documented, in my experience.
Xcacls.vbs (Score:2)
Also, check out 825751 - HOW TO: Use Xcacls.vbs to Modify NTFS Permissions [microsoft.com]. Works from a command line, and can run at startup.
But, only the old version, Xcacls.exe, is freely available. It is necessary to contact MS Technical Support for the latest version. If you get it, send it to me:
jennings_michael
AT
Hotmail
DOT
com
Sometimes MS requires you to have an "MS Passport" to get technical support, so that is the address I use. Hotmail is, however, a cesspool of unwanted email, so I don't usually us
More help: (Score:3, Informative)
More help. The documents are a mess, with contradictory statements and errors, and scattered information. Supposedly, all of these documents apply to Windows XP. At least that's what I was told by MS tech. support.
Introduction to Windows 2000 Group Policy [microsoft.com]
Understanding Group Policies on Windows Server 2003 [microsoft.com]
Windows XP Group Policies [microsoft.com]
325388 Support WebCast: Windows 2000: Group Policy [microsoft.com]
298444 A Description of the Group Policy Update Utility [microsoft.com]
XCACLS bug & documentation error (Score:2)
This directly contradicts the documentation, which shows the option arguments preceding the file/path arguments.
The
Notwithstanding all of the above, the right way to permanently change the permissions is with a global policy.
Something is wrong here. (Score:5, Informative)
I've modified permissions on files, folders, and registry keys. Whenever a computer with the modifications is rebooted, the permissions revert to their previous settings.
Windows does not alter ACL's (access control lists) on files or folders at boot time. It is possible that you or someone else has configured a startup process or logon script (under Win2X active directory, computers can have logon scripts) that repermissions folders or files. I suggest either a full audit of the logon process or a rebuild to a standard windows (with latest patches, see www.windowsupdate.com).
Registry settings by default are not altered by the startup/shutdown process, but again there may be a group policy or logon script attached to the object in AD somehow that is launching a permissioning process, or inheriting a new registry hive, although this is exceedingly unlikely. Again, a complete rebuild would solve this.
If you do the rebuild and it does not help, check with your application support. From my 7 years of Windows drudgery and experience, 75% or more of "Windows" problems come from third party apps or PEBKACs.
If you're unwilling to do the build or the application support people can't help you, contact Microsoft. They're very expensive, but they are very good at what they do, despite what the Slashdot crowd would have you believe.
Re:Something is wrong here. (Score:3, Informative)
Another possible scenario is that the NTUSER.DAT file which stores the user's policy is renamed to NTUSER.MAN. The user can change anything in the registry, but on reboot it will r
Re:Something is wrong here. (Score:2)
A mandatory profile would explain registry ACL's resetting if the keys are in HKCU, but I don't see how that would effect HKLM or similar keys, and I sure don't see how it could effect file ACL's.
Either way a clean rebuild would fix this problem, isolating the machine from the Domain would also work (using a local acco
thrid party, what a laugh. (Score:2)
Does that mean that most Microsoft problems would be solved if no one used them for anything? WTF can you do with a M$ OS without any "third party" application? Lookout without a spell check, MSIE? Sure, but by using those first party applications you will end up with a third party like Gator in no time
I Had The Same Problem - Google Helped (Score:3, Informative)
I Googled and found out about a command named "cacls". It can be used from the command line to change all the permission settings on any files or folders to allow any users or groups to use it.
I'll leave it up to others to post more information on this, since I don't have the info in front of me and since this seems like too easy a question for Ask Slashdot (perhaps another Ask SlashGoogle?) -- unless I completely misunderstand the question.
experts exchange (Score:3, Informative)
Deep Freeze (Score:1)
Turn off "simple file sharing" (Score:1)
I haven't tested this claim though, this is just a suggestion.
use security templates (Score:4, Informative)
file => add snap-in
add => security templates
set your file / registry / services info in the template. save it as
then apply the template
secedit
that will compile the inf into a sdb [security db], and apply it. any result will be written to the log. by convention...
sdb location:
%windir%\security\Database
logs:
%windir%\security\logs
inf:
%windir%\security\templates
bonus: the templace [myfile.inf] can then be copied and applied to any other win2k+ workstation
Re:use security templates (Score:1)
1) GPOs require domain auth, and are applied each time the user logs on to the domain [except for cached logons]
2) GPOs require the server to push down what amounts to a similar inf, which is then applied at each logon [applying once saves you the CPU cycles]
3) the changes are once-set... i.e. apply the security template once, and you have those settings. apply another sec temp, or a GPO, which contradicts them, and the
Blimey?! (Score:1, Flamebait)
Ticket & Stub solution (Score:1)
But, if you are interested, in another solution, about 8-9 years ago I worked for a non-profit organization. To protect us from overusing licesnes, I created batch files for people to run (instead of directly using the executable). The batch file would look in a boxoffice folder to see if there was a ticket available (e.g. wp51_
Bill Says (Score:2)
And who are we to argue?
batch file (Score:2, Informative)
I've run into this problem. (Score:2)
Look up Microsoft KB article 326549 for a workaround.
http://support.microsoft.com/default.aspx?scid= k b; EN-US;326549
From what I've read, this 'feature' was enabled due to more and more viruses installing them selves and propagating on systems that didn't have a 'read-only
Mabey To Simple (Score:1)
wait? (Score:1)
hey if this is a microsoft service why not also... (Score:1)