Hi, I have a question regarding the windows file/folder permission. One application (being packaged) requires create file permission for .log files in the windows folder(C:\Windows in XP) in order to launch successfully. As a normal locked down user does not have permission to create files under C:\Windows, the application in question breaks. The log file names are in incremental order and the app creates new log file upon every launch.

Could you please confirm if there is a way to give user create permission for (*.log file only) under C:\Windows ? Is group policy a possible solution in this case? if yes then how?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
The first thing to establish is whether this location is "hard-coded", or whether you can influence the log folder location somehow (registry, inifile, start-up folder, etc). Ideally, you should make the application create the files elsewhere - is it an in-house application?

As a last resort, you could grant users of that application special permissions to create new files in the windows folder (but not modify existing files), maybe using a group. But this should only be done as a last resort.

I can think of a complicated work-around using the installer service to create the next sequential log file at application runtime and modify it's ACL accordingly (and maybe delete redundant ones). This solution would rely on an advertised shortcut and the fact that your MSI might be "managed", but I won't go into details!
Answered 11/16/2004 by: WiseUser
Fourth Degree Brown Belt

Please log in to comment
0
to create new files in the windows folder (but not modify existing files),

Hi Thanks a lot for the reply. The app has no registry, ini file configure info to coustomise this log file creation. It is an in-house application.

The workaround you suggested (to create next sequential log file at application runtime using installer service) is of no use as the app itself is creating the log file at runtime. If 1.log already exists, it creates 2.log. if 2.log exists then 3.log and so on.


Kind regards
Steevan
Answered 11/17/2004 by: dsouza_steevan
Yellow Belt

Please log in to comment
0
Make a startup script to remove the logfiles

Give permission to a few number of files log1, log2, log3, log5 from GPO etc.

that gives the ability to start the program say 5 times

But best thing is to change program behavior.

Sweede [;)]
Answered 11/29/2004 by: Sweede
Second Degree Green Belt

Please log in to comment
0
ORIGINAL: Sweede



Make a startup script to remove the logfiles

Give permission to a few number of files log1, log2, log3, log5 from GPO etc.

that gives the ability to start the program say 5 times

But best thing is to change program behavior.

Sweede [;)]




Make sure that if you try to modify the permissions of the log files that the System account has modify permissions on the folder that the log files reside in.
Answered 11/29/2004 by: cdupuis
Third Degree Green Belt

Please log in to comment
0
You could easily create a Global group in AD and give users in that group create permissions in the Windows folder. This will mean that only those users with the app have that sort of permission. It's messy but it will work.
Answered 12/17/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
can we give permission using cacls to a create log files only in a folder
Answered 11/20/2009 by: Eswari
Orange Belt

Please log in to comment
0
If I understand your post correctly, you are asking if you can use CACLS to restrict users in such a way that only log files can be create in a folder. A simple execution of CACLS with no arguments or reading of its documentation would show you all its command line arguments, none of which would implement such a feature.

I think the only way you could achieve what you want would be to create a service which watches the folder in question and deletes any file which isn't a log file. You would obviously also have to define, for that service the file types which you consider to be 'LOG' files.

Next, it's not really The Done Thing - here or in most forums I know of - to resurrect old threads.

Lastly, what exactly does your question have to do with 'Group Policy', the intended subject matter for this forum?
Answered 11/22/2009 by: VBScab
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity