4 Replies Latest reply on May 6, 2016 7:16 PM by Roger1

    Grant Permissions to Local File/Folder

    Roger1 Apprentice
      Our company runs a lot of finicky software that expects you have to have admin rights to the box it's installed on.  AM works great for elevating the executables but things become more difficult when a user needs to modify an INI that happens to sit in the app folder under C:\Program Files.  I would love to have something like this available in AM but I'm not aware of any current feature. 

      This is something that I've been working on for a while - slowly revising and updating.  Initially, I created a custom action that would run at startup using icacls.exe.  Doing a recursive permissions change at startup impeded boot times and sometimes ended up failing all together.  I set run-once keys to ease the pain but upgrades and other anomalies yielded less than desirable results.  I later moved everything to Desktop Created and that helped.  However, I needed a way to check the file/folder to see if the assigned user group was still set.  I finally came up with a solution which didn't remove all of my tested icacls custom actions.  I already had a tested solution that mostly worked so I ended up taking the long way around.  That said, PowerShelling this entire thing would almost guaranteed be the best route. 

      All cards on the table:  I'm not a PowerShell or script guy.  I grab something from the Internet and mold it to my need (as best I can).  Please feel free to offer any tips or advice. 

      A few key things to note:
      Since this is per computer rather per user, I write a run-once check to HKLM rather than HCKU
      There are several actions that run with the SYSTEM account because of this
      I utilize an If-Else condition to prevent the PS script from failing if no reg value exists
      I run this at session locked in case software is installed that doesn't require a reboot. 

      How it works:
      There is a condition to check for the file/folder in question.  If it exists, a check is performed against a RunOnce value which either runs the action and sets a RunOnce value or verifies the Domain Users group is assigned to the file/folder.  If good, it exits with no changes.  If not, it deletes the RunOnce value which kicks off an action to set the permissions for Domain Users, and finally sets a RunOnce value. 

      As I said before, I think the best solution would probably be to run a file/folder check and have the PS script check and apply the changes.  Regardless of how you get there, the end result is allowing the user to do their job without the need for admin. 


      PowerShell
      $user = "DOMAIN\Domain Users" #To reuse, update file name $Acl = Get-Acl "C:\Windows\FILE.INI" if(-not (($Acl.Access | select -ExpandProperty IdentityReference) -contains $user)) { #This is where you could simply script out the permissions change rather than using icacls.exe #To reuse, update value name Remove-ItemProperty -path HKLM:\SOFTWARE\AppSense\RunOnceChecks -name FILE }   #else {} Modify if you require and Else statement # ## ##TESTING - Remove lines below and Check Prevent script from running interactively under Options.   ##Kudos to James Rankin for this bit below - http://appsensebigot.blogspot.com/2014/03/a-handy-hint-for-troubleshooting.html ## #Write-Host  #Write-Host "Press any key to continue ..." #$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") #Write-Host 


      Some code I use for setting registry permissions:
      $acl= get-acl -path "hklm:\SOFTWARE\ODBC" $acl2= get-acl -path "hklm:\SOFTWARE\WOW6432NODE\ODBC"  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit" $propagation = [system.security.accesscontrol.PropagationFlags]"None"  $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("DOMAIN\Domain Users","FullControl",$inherit,$propagation,"Allow")  $acl.addaccessrule($rule) $acl|set-acl  $acl2.addaccessrule($rule) $acl2|set-acl


      Attached template