/build/static/layout/Breadcrumb_cap_w.png

Setting rights to files and folders

What is the best tool to use when setting rights to files and folders / Registry in a closed environment?

I am using regperm and cacls today and have read about other tools.
What is the difference? Pro's and Con's ?

Is there anyone that knows and can tell me the different and also make a recommendation regarding what tool to use?

/Regards

0 Comments   [ + ] Show comments

Answers (15)

Posted by: MSIPackager 19 years ago
3rd Degree Black Belt
0
I reckon the best tool is SetACL - it does file and registry permissions. You can just use the command line .exe or the ActiveX version for vbscript etc.


Cheers,
Rob.
Posted by: viv_bhatt1 19 years ago
Senior Purple Belt
0
You can also use Group policy to elevate NTFS and registry permissions . Generally organizations have Application Groups created in AD and GP is used to create workstation policy to elevate rights for a particular application group .

This will eliminate any elevation work done in package .

Cheers ,
V
Posted by: UcMerrill 19 years ago
Senior Yellow Belt
0
I use secedit.exe. Works like a charm for file, folder and registry.
Posted by: gertitombo 19 years ago
Orange Belt
0
Hello,

How can I in Adminstudio 6 add Xcacl, cacl or setacl in custom action? I know the parameters in the dos prompt.
COuld someone tell me how to put it in custom action? preferrable in step by step.

Thanks a lot.
Best regards,
Gert-Tom
Posted by: Robb Thomas 19 years ago
Senior Yellow Belt
0
We use SetACL all the time as an embedded action. I like it because this one tool does Registry permissions, as well as file permissions. Tis darn nice stuff. :)

Regards,
---- Robb ----
Posted by: MSIMaker 19 years ago
2nd Degree Black Belt
0
ORIGINAL: UcMerrill

I use secedit.exe. Works like a charm for file, folder and registry.


I also use secedit with an inf file because it places the permissions correctly on the object and also allows inheritable rights which some of the others don't place correctly.

There is another program called reggrant which is worth a look.
Posted by: viv_bhatt1 19 years ago
Senior Purple Belt
0
Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V
Posted by: MSIMaker 19 years ago
2nd Degree Black Belt
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V


I thought the LockPermissions table didn't apply Inherited rights to reg keys and folders?
Posted by: viv_bhatt1 19 years ago
Senior Purple Belt
0
yes , you are right .Good point .

I have had to give permissions to each sub folder in Admin Studio sometimes due to this issue .

Fuerthermore w use LockPermissions table along with GP workstation policy to open INSTALLDIR for such applications .

Cheers ,
V
Posted by: MSIMaker 19 years ago
2nd Degree Black Belt
0
viv_bhatt1

One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.

We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.

This stop unauthorised users from changing the contents of the file etc.
Posted by: viv_bhatt1 19 years ago
Senior Purple Belt
0
managing NTFS and reg permissions thorugh AD application groups and workstation GP is far better than handling the same through package .

I agree with you , assigning permissions to speciifc application groups than ALL USers ismuch more safer . We are also using the same concept to manage permissions in locked down environment .

Cheers ,
V

ORIGINAL: MSIMaker

viv_bhatt1

One of things I am forced to do consistently is to apply permissions to ini files in the Windows folder.

We used to apply permissions to All Users but have recently changed that to only allow users of that particular app to have rights. From a security standpoint this is far better. Using secedit we can apply file, folder and registry permissions using the Active Directory software group that the app is deployed to so that only the users in that group get write permissions.

This stop unauthorised users from changing the contents of the file etc.

Posted by: subsense 19 years ago
Purple Belt
0
Hmm,

I'm not too wild about NTFS permissions with GPO. For a few folders, no problem but what if we need to set the security on a whole bunch of folder/files takes way to long!

We recon that, for us, the best way is to set de security by adding a "Create Folder" to a certain component. We just fill in the security group, no domain, so that te MSI works fine over multiple domains. Works great for new app installs! But yes there is an issue for setting de security on existing files. For that we use setacl with a custom action (VBS).
Posted by: chipfork 19 years ago
Senior Yellow Belt
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V

I may have missed something but I found the LockPermissions table replaced ACLs which wasn't ideal for packages on different platforms with different standard ACLs. That's why I tend to use SetACL or XCACLS to edit the existing ACL for the machine's file or folder.
Posted by: Thegunner 19 years ago
Second Degree Green Belt
0
ORIGINAL: viv_bhatt1

Hi ,

If you want to handle NTFS and registry permissions using MSI package then you should use LockPermissions table instead .

I have never used any other third party tool as Lock Permissions table is capable of handling everything .

Furthermore if you are using Admin Studio then it is even more easy and sophisticated to elevate rights . No need to enter data in Lock Permissions table as Installshield handles that through GUI .

Cheers ,
V


Hi

Is there somewhere where I can find out more about LockPermissions, as I dont use it. But I would like to get to know how to use it.

Cheers
Posted by: MSIPackager 19 years ago
3rd Degree Black Belt
0
Hi, here is the MSDN reference info for the lock permissions table:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/lockpermissions_table.asp

Probably easiest to set the permissions in Wise (or Admin Studio) and look at how it populates the above table. As discussed in this thread and many others though it's not generally considered the best method for editing ACLs so be cautious if you are going to use it in your live environment...

Cheers,
Rob.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ