What is the best tool to use when setting rights to files and folders / Registry in a closed environment?

I am using regperm and cacls today and have read about other tools.
What is the difference? Pro's and Con's ?

Is there anyone that knows and can tell me the different and also make a recommendation regarding what tool to use?

/Regards
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
I reckon the best tool is SetACL - it does file and registry permissions. You can just use the command line .exe or the ActiveX version for vbscript etc.


Cheers,
Rob.
Answered 09/05/2005 by: MSIPackager
Third Degree Black Belt

Please log in to comment
0
You can also use Group policy to elevate NTFS and registry permissions . Generally organizations have Application Groups created in AD and GP is used to create workstation policy to elevate rights for a particular application group .

This will eliminate any elevation work done in package .

Cheers ,
V
Answered 09/06/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
I use secedit.exe. Works like a charm for file, folder and registry.
Answered 09/07/2005 by: UcMerrill
Senior Yellow Belt

Please log in to comment
0
Hello,

How can I in Adminstudio 6 add Xcacl, cacl or setacl in custom action? I know the parameters in the dos prompt.
COuld someone tell me how to put it in custom action? preferrable in step by step.

Thanks a lot.
Best regards,
Gert-Tom
Answered 09/07/2005 by: gertitombo
Orange Belt

Please log in to comment
0
We use SetACL all the time as an embedded action. I like it because this one tool does Registry permissions, as well as file permissions. Tis darn nice stuff. :)

Regards,
---- Robb ----
Answered 09/08/2005 by: Robb Thomas
Senior Yellow Belt

Please log in to comment
0
ORIGINAL: UcMerrill

I use secedit.exe. Works like a charm for file, folder and registry.


I also use secedit with an inf file because it places the permissions correctly on the object and also allows inheritable rights which some of the others don't place correctly.

There is another program called reggrant which is worth a look.
Answered 09/09/2005 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V
Answered 09/09/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V


I thought the LockPermissions table didn't apply Inherited rights to reg keys and folders?
Answered 09/09/2005 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
yes , you are right .Good point .

I have had to give permissions to each sub folder in Admin Studio sometimes due to this issue .

Fuerthermore w use LockPermissions table along with GP workstation policy to open INSTALLDIR for such applications .

Cheers ,
V
Answered 09/09/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
viv_bhatt1

One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.

We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.

This stop unauthorised users from changing the contents of the file etc.
Answered 09/09/2005 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
managing NTFS and reg permissions thorugh AD application groups and workstation GP is far better than handling the same through package .

I agree with you , assigning permissions to speciifc application groups than ALL USers ismuch more safer . We are also using the same concept to manage permissions in locked down environment .

Cheers ,
V

ORIGINAL: MSIMaker

viv_bhatt1

One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.

We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.

This stop unauthorised users from changing the contents of the file etc.

Answered 09/10/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
Hmm,

I'm not too wild about NTFS permissions with GPO. For a few folders, no problem but what if we need to set the security on a whole bunch of folder/files takes way to long!

We recon that, for us, the best way is to set de security by adding a "Create Folder" to a certain component. We just fill in the security group, no domain, so that te MSI works fine over multiple domains. Works great for new app installs! But yes there is an issue for setting de security on existing files. For that we use setacl with a custom action (VBS).
Answered 09/14/2005 by: subsense
Purple Belt

Please log in to comment
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V

I may have missed something but I found the LockPermissions table replaced ACLs which wasn't ideal for packages on different platforms with different standard ACLs. That's why I tend to use SetACL or XCACLS to edit the existing ACL for the machine's file or folder.
Answered 09/15/2005 by: chipfork
Senior Yellow Belt

Please log in to comment
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V


Hi

Is there somewhere where I can find out more about LockPermissions, as I dont use it. But I would like to get to know how to use it.

Cheers
Answered 09/15/2005 by: Thegunner
Second Degree Green Belt

Please log in to comment
0
Hi, here is the MSDN reference info for the lock permissions table:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/lockpermissions_table.asp

Probably easiest to set the permissions in Wise (or Admin Studio) and look at how it populates the above table. As discussed in this thread and many others though it's not generally considered the best method for editing ACLs so be cautious if you are going to use it in your live environment...

Cheers,
Rob.
Answered 09/15/2005 by: MSIPackager
Third Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity