/build/static/layout/Breadcrumb_cap_w.png

Windows Folder Permission Issue

Hi, I have a question regarding the windows file/folder permission. One application (being packaged) requires create file permission for .log files in the windows folder(C:\Windows in XP) in order to launch successfully. As a normal locked down user does not have permission to create files under C:\Windows, the application in question breaks. The log file names are in incremental order and the app creates new log file upon every launch.

Could you please confirm if there is a way to give user create permission for (*.log file only) under C:\Windows ? Is group policy a possible solution in this case? if yes then how?

0 Comments   [ + ] Show comments

Answers (7)

Posted by: WiseUser 20 years ago
Fourth Degree Brown Belt
0
The first thing to establish is whether this location is "hard-coded", or whether you can influence the log folder location somehow (registry, inifile, start-up folder, etc). Ideally, you should make the application create the files elsewhere - is it an in-house application?

As a last resort, you could grant users of that application special permissions to create new files in the windows folder (but not modify existing files), maybe using a group. But this should only be done as a last resort.

I can think of a complicated work-around using the installer service to create the next sequential log file at application runtime and modify it's ACL accordingly (and maybe delete redundant ones). This solution would rely on an advertised shortcut and the fact that your MSI might be "managed", but I won't go into details!
Posted by: dsouza_steevan 20 years ago
Yellow Belt
0
to create new files in the windows folder (but not modify existing files),

Hi Thanks a lot for the reply. The app has no registry, ini file configure info to coustomise this log file creation. It is an in-house application.

The workaround you suggested (to create next sequential log file at application runtime using installer service) is of no use as the app itself is creating the log file at runtime. If 1.log already exists, it creates 2.log. if 2.log exists then 3.log and so on.


Kind regards
Steevan
Posted by: Sweede 20 years ago
Second Degree Green Belt
0
Make a startup script to remove the logfiles

Give permission to a few number of files log1, log2, log3, log5 from GPO etc.

that gives the ability to start the program say 5 times

But best thing is to change program behavior.

Sweede [;)]
Posted by: cdupuis 20 years ago
Third Degree Green Belt
0
ORIGINAL: Sweede



Make a startup script to remove the logfiles

Give permission to a few number of files log1, log2, log3, log5 from GPO etc.

that gives the ability to start the program say 5 times

But best thing is to change program behavior.

Sweede [;)]




Make sure that if you try to modify the permissions of the log files that the System account has modify permissions on the folder that the log files reside in.
Posted by: MSIMaker 20 years ago
2nd Degree Black Belt
0
You could easily create a Global group in AD and give users in that group create permissions in the Windows folder. This will mean that only those users with the app have that sort of permission. It's messy but it will work.
Posted by: Eswari 15 years ago
Orange Belt
0
can we give permission using cacls to a create log files only in a folder
Posted by: anonymous_9363 15 years ago
Red Belt
0
If I understand your post correctly, you are asking if you can use CACLS to restrict users in such a way that only log files can be create in a folder. A simple execution of CACLS with no arguments or reading of its documentation would show you all its command line arguments, none of which would implement such a feature.

I think the only way you could achieve what you want would be to create a service which watches the folder in question and deletes any file which isn't a log file. You would obviously also have to define, for that service the file types which you consider to be 'LOG' files.

Next, it's not really The Done Thing - here or in most forums I know of - to resurrect old threads.

Lastly, what exactly does your question have to do with 'Group Policy', the intended subject matter for this forum?
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ