Lock premissions, group membership
Hi All,
I am packaging an application that I need only the users in the APPGROUP can see the shortcut, folder etc. So if I, not a member of the group, log in I will only see an empty folder where the shortcut shold be. However if I am a member of the APPGROUP then when I log in I will see shortcut etc.
I have done this in the past however cant remember exactly how!
I have created the property APPGROUP and put the groupname in their. Then I went to lock permissions table and enter the following entries:
LockObject - Microsoft Visio (name of folder containing shortcut)
Table - Directory
Domain - IM
User - [APPGROUP] (anything wrong with brackets?)
Permission - 1180073
Repeat entry for Admin as user with 268435456 as permission value.
For the Install Directory the entries are the same except the Table entry is Create Folder and lock object name.
I am missing something but not sure what it is! Any ideas anyone?
Thanks in advance
I am packaging an application that I need only the users in the APPGROUP can see the shortcut, folder etc. So if I, not a member of the group, log in I will only see an empty folder where the shortcut shold be. However if I am a member of the APPGROUP then when I log in I will see shortcut etc.
I have done this in the past however cant remember exactly how!
I have created the property APPGROUP and put the groupname in their. Then I went to lock permissions table and enter the following entries:
LockObject - Microsoft Visio (name of folder containing shortcut)
Table - Directory
Domain - IM
User - [APPGROUP] (anything wrong with brackets?)
Permission - 1180073
Repeat entry for Admin as user with 268435456 as permission value.
For the Install Directory the entries are the same except the Table entry is Create Folder and lock object name.
I am missing something but not sure what it is! Any ideas anyone?
Thanks in advance
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
anonymous_9363
16 years ago
FWIW, I think it's probably the most widely-accepted view that the LockPermissions table is to be avoided, as its behaviour is to replace rather than add permissions, meaning you have to add every account which needs access, rather than just the one you want to permission explicitly. Most people use command-line tools like SetACL, SubInACL, XCACLS, etc or scripted calls to their ActiveX counter-parts.
Coming to your query:
LockObject - This needs to be the directory name as it appears in the 'Directory' field of the 'Directory' table
Table - Directory - yup
Domain - go with [%USERDOMAIN] rather than hard-coded name
User - [APPGROUP] (anything wrong with brackets?) Provided APPGROUP is a defined property (and includes the domain name!), nothing wrong with what you have here. Don't forget ALL the other accounts you need to add e.g. local 'Administartors', presumably 'Domain Admins', too
Permission - 1180073 Uggghhhh...can't remember. I'm sure you must have a copy of WINNT.H somewhere, from which you can determine the correct data required. Another reason to avoid using the table...:)
Coming to your query:
LockObject - This needs to be the directory name as it appears in the 'Directory' field of the 'Directory' table
Table - Directory - yup
Domain - go with [%USERDOMAIN] rather than hard-coded name
User - [APPGROUP] (anything wrong with brackets?) Provided APPGROUP is a defined property (and includes the domain name!), nothing wrong with what you have here. Don't forget ALL the other accounts you need to add e.g. local 'Administartors', presumably 'Domain Admins', too
Permission - 1180073 Uggghhhh...can't remember. I'm sure you must have a copy of WINNT.H somewhere, from which you can determine the correct data required. Another reason to avoid using the table...:)
Posted by:
oreillyr
16 years ago
Thanks for your input VBScab.
LockObject is exactly as it appears in Directory field.
Am testing on local machine first so no need for Domain?
Have removed the defined property and added actual group name, power users and administrators, think thats all 'necessary'?
Permission value may be the issue but unfortunately I dont have a copy of winnt.h anywhere and this place is more locked down than Fort Knox so wont be downloading anything in less than 3 days[:@]
If I was to use SetAcl(which I have a copy of!) to hide the shortcut from non-group members how would I go about that? Thanks again
P.S. If anyone knows the permission value which would hide a shortcut would be appreciated or what I am doing wrong otherwise, cheers
LockObject is exactly as it appears in Directory field.
Am testing on local machine first so no need for Domain?
Have removed the defined property and added actual group name, power users and administrators, think thats all 'necessary'?
Permission value may be the issue but unfortunately I dont have a copy of winnt.h anywhere and this place is more locked down than Fort Knox so wont be downloading anything in less than 3 days[:@]
If I was to use SetAcl(which I have a copy of!) to hide the shortcut from non-group members how would I go about that? Thanks again
P.S. If anyone knows the permission value which would hide a shortcut would be appreciated or what I am doing wrong otherwise, cheers
Posted by:
anonymous_9363
16 years ago
LockObject is exactly as it appears in Directory field.
Really? With a space in it?
Am testing on local machine first so no need for Domain?
You still need it. Use [%COMPUTERNAME] for local.
Have removed the defined property and added actual group name, power users and administrators, think thats all 'necessary'?
I'd add 'Domain Admins' but that's your call. If you're happy you'll always know the local Admin p/w...
You may
Permission value may be the issue but unfortunately I dont have a copy of winnt.h anywhere and this place is more locked down than Fort Knox so wont be downloading anything in less than 3 days[:@]
Email me and I'll send it to you in text form (in case your folks block ZIPs by content)
If I was to use SetAcl(which I have a copy of!) to hide the shortcut from non-group members how would I go about that?
SetACL command line example. Sets 'change' permissions on the directory 'c:\my dir' for user 'user1' in domain 'domain1':
SetACL -on "C:\my dir" -ot file -actn ace -ace "n:domain1\user1;p:change"
I typically extract SetACL from the Binary table via script (having embedded both in our Windows Application template WSI for Wise Package Studio) then run a VB Script CA after CreateFolders in Execute Deferred. I do that because this way, the folder (and sub-folders, if any) gets permissioned and the files simply inherit those permissions. Otherwise you'd have to wait for SetACL to be installed along with the rest of the files and then have to wait while all the files are permissioned. If you do email me for the WINNT.H file, remind me and I'll include the binary extraction script (although a recent response to an old post includes a version of it)
Really? With a space in it?
Am testing on local machine first so no need for Domain?
You still need it. Use [%COMPUTERNAME] for local.
Have removed the defined property and added actual group name, power users and administrators, think thats all 'necessary'?
I'd add 'Domain Admins' but that's your call. If you're happy you'll always know the local Admin p/w...
You may
Permission value may be the issue but unfortunately I dont have a copy of winnt.h anywhere and this place is more locked down than Fort Knox so wont be downloading anything in less than 3 days[:@]
Email me and I'll send it to you in text form (in case your folks block ZIPs by content)
If I was to use SetAcl(which I have a copy of!) to hide the shortcut from non-group members how would I go about that?
SetACL command line example. Sets 'change' permissions on the directory 'c:\my dir' for user 'user1' in domain 'domain1':
SetACL -on "C:\my dir" -ot file -actn ace -ace "n:domain1\user1;p:change"
I typically extract SetACL from the Binary table via script (having embedded both in our Windows Application template WSI for Wise Package Studio) then run a VB Script CA after CreateFolders in Execute Deferred. I do that because this way, the folder (and sub-folders, if any) gets permissioned and the files simply inherit those permissions. Otherwise you'd have to wait for SetACL to be installed along with the rest of the files and then have to wait while all the files are permissioned. If you do email me for the WINNT.H file, remind me and I'll include the binary extraction script (although a recent response to an old post includes a version of it)
Posted by:
oreillyr
16 years ago
Thanks VBScab. I have a confession to make....there was no space and I just noticed it! I have had a serious word with myself and it wont be happening again :)
I got the winnt.h file after a little bribery[;)]
I changed the below:
Table - CreateFolder with a corresponding entry in the CreateFolder table(removed space!)
Domain - Used [%USERDOMAIN] and [%COMPUTERNAME] where relevant
Permissions - User(group) -1180073
- Power Users - 1180095
- Administrators - 268435456
- Domain Admins - 268435456
I think I will go down the SetAcl route in future for the reasons you outline in the previous post. Thanks again for your help
I got the winnt.h file after a little bribery[;)]
I changed the below:
Table - CreateFolder with a corresponding entry in the CreateFolder table(removed space!)
Domain - Used [%USERDOMAIN] and [%COMPUTERNAME] where relevant
Permissions - User(group) -1180073
- Power Users - 1180095
- Administrators - 268435456
- Domain Admins - 268435456
I think I will go down the SetAcl route in future for the reasons you outline in the previous post. Thanks again for your help
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.