Setting rights to files and folders
What is the best tool to use when setting rights to files and folders / Registry in a closed environment?
I am using regperm and cacls today and have read about other tools.
What is the difference? Pro's and Con's ?
Is there anyone that knows and can tell me the different and also make a recommendation regarding what tool to use?
/Regards
I am using regperm and cacls today and have read about other tools.
What is the difference? Pro's and Con's ?
Is there anyone that knows and can tell me the different and also make a recommendation regarding what tool to use?
/Regards
0 Comments
[ + ] Show comments
Answers (15)
Please log in to answer
Posted by:
MSIPackager
18 years ago
I reckon the best tool is SetACL - it does file and registry permissions. You can just use the command line .exe or the ActiveX version for vbscript etc.
Cheers,
Rob.
Cheers,
Rob.
Posted by:
viv_bhatt1
18 years ago
You can also use Group policy to elevate NTFS and registry permissions . Generally organizations have Application Groups created in AD and GP is used to create workstation policy to elevate rights for a particular application group .
This will eliminate any elevation work done in package .
Cheers ,
V
This will eliminate any elevation work done in package .
Cheers ,
V
Posted by:
UcMerrill
18 years ago
I use secedit.exe. Works like a charm for file, folder and registry.
Posted by:
gertitombo
18 years ago
Hello,
How can I in Adminstudio 6 add Xcacl, cacl or setacl in custom action? I know the parameters in the dos prompt.
COuld someone tell me how to put it in custom action? preferrable in step by step.
Thanks a lot.
Best regards,
Gert-Tom
How can I in Adminstudio 6 add Xcacl, cacl or setacl in custom action? I know the parameters in the dos prompt.
COuld someone tell me how to put it in custom action? preferrable in step by step.
Thanks a lot.
Best regards,
Gert-Tom
Posted by:
Robb Thomas
18 years ago
We use SetACL all the time as an embedded action. I like it because this one tool does Registry permissions, as well as file permissions. Tis darn nice stuff. :)
Regards,
---- Robb ----
Regards,
---- Robb ----
Posted by:
MSIMaker
18 years ago
ORIGINAL: UcMerrill
I use secedit.exe. Works like a charm for file, folder and registry.
I also use secedit with an inf file because it places the permissions correctly on the object and also allows inheritable rights which some of the others don't place correctly.
There is another program called reggrant which is worth a look.
Posted by:
viv_bhatt1
18 years ago
Hi ,
If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .
I have never used any other third party tool as Lock Permissions table is capable of handling everything .
Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .
Cheers ,
V
If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .
I have never used any other third party tool as Lock Permissions table is capable of handling everything .
Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .
Cheers ,
V
Posted by:
MSIMaker
18 years ago
ORIGINAL: viv_bhatt1
Hi ,
If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .
I have never used any other third party tool as Lock Permissions table is capable of handling everything .
Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .
Cheers ,
V
I thought the LockPermissions table didn't apply Inherited rights to reg keys and folders?
Posted by:
viv_bhatt1
18 years ago
yes , you are right .Good point .
I have had to give permissions to each sub folder in Admin Studio sometimes due to this issue .
Fuerthermore w use LockPermissions table along with GP workstation policy to open INSTALLDIR for such applications .
Cheers ,
V
I have had to give permissions to each sub folder in Admin Studio sometimes due to this issue .
Fuerthermore w use LockPermissions table along with GP workstation policy to open INSTALLDIR for such applications .
Cheers ,
V
Posted by:
MSIMaker
18 years ago
viv_bhatt1
One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.
We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.
This stop unauthorised users from changing the contents of the file etc.
One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.
We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.
This stop unauthorised users from changing the contents of the file etc.
Posted by:
viv_bhatt1
18 years ago
managing NTFS and reg permissions thorugh AD application groups and workstation GP is far better than handling the same through package .
I agree with you , assigning permissions to speciifc application groups than ALL USers ismuch more safer . We are also using the same concept to manage permissions in locked down environment .
Cheers ,
V
I agree with you , assigning permissions to speciifc application groups than ALL USers ismuch more safer . We are also using the same concept to manage permissions in locked down environment .
Cheers ,
V
ORIGINAL: MSIMaker
viv_bhatt1
One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.
We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.
This stop unauthorised users from changing the contents of the file etc.
Posted by:
subsense
18 years ago
Hmm,
I'm not too wild about NTFS permissions with GPO. For a few folders, no problem but what if we need to set the security on a whole bunch of folder/files takes way to long!
We recon that, for us, the best way is to set de security by adding a "Create Folder" to a certain component. We just fill in the security group, no domain, so that te MSI works fine over multiple domains. Works great for new app installs! But yes there is an issue for setting de security on existing files. For that we use setacl with a custom action (VBS).
I'm not too wild about NTFS permissions with GPO. For a few folders, no problem but what if we need to set the security on a whole bunch of folder/files takes way to long!
We recon that, for us, the best way is to set de security by adding a "Create Folder" to a certain component. We just fill in the security group, no domain, so that te MSI works fine over multiple domains. Works great for new app installs! But yes there is an issue for setting de security on existing files. For that we use setacl with a custom action (VBS).
Posted by:
chipfork
18 years ago
ORIGINAL: viv_bhatt1
Hi ,
If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .
I have never used any other third party tool as Lock Permissions table is capable of handling everything .
Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .
Cheers ,
V
I may have missed something but I found the LockPermissions table replaced ACLs which wasn't ideal for packages on different platforms with different standard ACLs. That's why I tend to use SetACL or XCACLS to edit the existing ACL for the machine's file or folder.
Posted by:
Thegunner
18 years ago
ORIGINAL: viv_bhatt1
Hi ,
If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .
I have never used any other third party tool as Lock Permissions table is capable of handling everything .
Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .
Cheers ,
V
Hi
Is there somewhere where I can find out more about LockPermissions, as I dont use it. But I would like to get to know how to use it.
Cheers
Posted by:
MSIPackager
18 years ago
Hi, here is the MSDN reference info for the lock permissions table:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/lockpermissions_table.asp
Probably easiest to set the permissions in Wise (or Admin Studio) and look at how it populates the above table. As discussed in this thread and many others though it's not generally considered the best method for editing ACLs so be cautious if you are going to use it in your live environment...
Cheers,
Rob.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/lockpermissions_table.asp
Probably easiest to set the permissions in Wise (or Admin Studio) and look at how it populates the above table. As discussed in this thread and many others though it's not generally considered the best method for editing ACLs so be cautious if you are going to use it in your live environment...
Cheers,
Rob.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.