Windows Folder Permission Issue
Hi, I have a question regarding the windows file/folder permission. One application (being packaged) requires create file permission for .log files in the windows folder(C:\Windows in XP) in order to launch successfully. As a normal locked down user does not have permission to create files under C:\Windows, the application in question breaks. The log file names are in incremental order and the app creates new log file upon every launch.
Could you please confirm if there is a way to give user create permission for (*.log file only) under C:\Windows ? Is group policy a possible solution in this case? if yes then how?
Could you please confirm if there is a way to give user create permission for (*.log file only) under C:\Windows ? Is group policy a possible solution in this case? if yes then how?
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
WiseUser
20 years ago
The first thing to establish is whether this location is "hard-coded", or whether you can influence the log folder location somehow (registry, inifile, start-up folder, etc). Ideally, you should make the application create the files elsewhere - is it an in-house application?
As a last resort, you could grant users of that application special permissions to create new files in the windows folder (but not modify existing files), maybe using a group. But this should only be done as a last resort.
I can think of a complicated work-around using the installer service to create the next sequential log file at application runtime and modify it's ACL accordingly (and maybe delete redundant ones). This solution would rely on an advertised shortcut and the fact that your MSI might be "managed", but I won't go into details!
As a last resort, you could grant users of that application special permissions to create new files in the windows folder (but not modify existing files), maybe using a group. But this should only be done as a last resort.
I can think of a complicated work-around using the installer service to create the next sequential log file at application runtime and modify it's ACL accordingly (and maybe delete redundant ones). This solution would rely on an advertised shortcut and the fact that your MSI might be "managed", but I won't go into details!
Posted by:
dsouza_steevan
20 years ago
to create new files in the windows folder (but not modify existing files),
Hi Thanks a lot for the reply. The app has no registry, ini file configure info to coustomise this log file creation. It is an in-house application.
The workaround you suggested (to create next sequential log file at application runtime using installer service) is of no use as the app itself is creating the log file at runtime. If 1.log already exists, it creates 2.log. if 2.log exists then 3.log and so on.
Kind regards
Steevan
Posted by:
Sweede
20 years ago
Posted by:
cdupuis
20 years ago
ORIGINAL: Sweede
Make a startup script to remove the logfiles
Give permission to a few number of files log1, log2, log3, log5 from GPO etc.
that gives the ability to start the program say 5 times
But best thing is to change program behavior.
Sweede [;)]
Make sure that if you try to modify the permissions of the log files that the System account has modify permissions on the folder that the log files reside in.
Posted by:
MSIMaker
20 years ago
Posted by:
Eswari
15 years ago
Posted by:
anonymous_9363
15 years ago
If I understand your post correctly, you are asking if you can use CACLS to restrict users in such a way that only log files can be create in a folder. A simple execution of CACLS with no arguments or reading of its documentation would show you all its command line arguments, none of which would implement such a feature.
I think the only way you could achieve what you want would be to create a service which watches the folder in question and deletes any file which isn't a log file. You would obviously also have to define, for that service the file types which you consider to be 'LOG' files.
Next, it's not really The Done Thing - here or in most forums I know of - to resurrect old threads.
Lastly, what exactly does your question have to do with 'Group Policy', the intended subject matter for this forum?
I think the only way you could achieve what you want would be to create a service which watches the folder in question and deletes any file which isn't a log file. You would obviously also have to define, for that service the file types which you consider to be 'LOG' files.
Next, it's not really The Done Thing - here or in most forums I know of - to resurrect old threads.
Lastly, what exactly does your question have to do with 'Group Policy', the intended subject matter for this forum?
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.