Welcome to WinForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Security Template does not apply folder permissions

  
   Windows XP (Home) -> XP Security Admin RSS
Next:  Pull-down menu and task manager questions  
Author Message
void.no.spam.com

External


Since: Jan 15, 2006
Posts: 6



(Msg. 1) Posted: Mon Jan 01, 2007 9:04 pm
Post subject: Security Template does not apply folder permissions
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
Right now I have a folder that has some permissions directly on it. I
want to use a security template to modify it so that it does not have
any permissions directly on it and instead inherits permissions from
its parent.

I created a security template, and in the File System section I added
an entry for the folder. I checked the "Configure this file or folder
then" box, and then made sure there were no permissions in the Security
tab and that the Advanced section had the "Inherit from parent the
permission entries that apply to child objects" box checked.

Then I saved the template, went to Security Configuration and Analysis
and opened a database, imported the template, and then configured the
computer. But it didn't apply the template setting to the folder --
the folder still had permissions directly on it, and did not inherit
anything from its parent. I analyzed the computer, and in the File
System it did not have a green check mark or red X on the folder; it
just said "subitems defined".

As a side note, I did have an entry for a different folder in my
template (but that one was to directly define a permission onto the
folder). After configuring the computer, that setting was applied (it
showed the green check mark).

Anyone know why the security template doesn't work for a folder when I
want that folder to inherit permissions?

 >> Stay informed about: Security Template does not apply folder permissions 
Back to top
Login to vote
Jesper

External


Since: May 09, 2005
Posts: 87



(Msg. 2) Posted: Tue Jan 02, 2007 9:41 am
Post subject: RE: Security Template does not apply folder permissions [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
You can't create a template that just sets the inheritance bit in the GUI.
You have to hand-edit the template to do that. Here is a sample template that
does it:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"


The D:AI is the part that does the trick. Replace the name of the file that
I have with the folder name and you should be good to go.

" " wrote:

> Right now I have a folder that has some permissions directly on it. I
> want to use a security template to modify it so that it does not have
> any permissions directly on it and instead inherits permissions from
> its parent.
>
> I created a security template, and in the File System section I added
> an entry for the folder. I checked the "Configure this file or folder
> then" box, and then made sure there were no permissions in the Security
> tab and that the Advanced section had the "Inherit from parent the
> permission entries that apply to child objects" box checked.
>
> Then I saved the template, went to Security Configuration and Analysis
> and opened a database, imported the template, and then configured the
> computer. But it didn't apply the template setting to the folder --
> the folder still had permissions directly on it, and did not inherit
> anything from its parent. I analyzed the computer, and in the File
> System it did not have a green check mark or red X on the folder; it
> just said "subitems defined".
>
> As a side note, I did have an entry for a different folder in my
> template (but that one was to directly define a permission onto the
> folder). After configuring the computer, that setting was applied (it
> showed the green check mark).
>
> Anyone know why the security template doesn't work for a folder when I
> want that folder to inherit permissions?
>
>

 >> Stay informed about: Security Template does not apply folder permissions 
Back to top
Login to vote
void.no.spam.com

External


Since: Jan 15, 2006
Posts: 6



(Msg. 3) Posted: Tue Jan 02, 2007 10:11 am
Post subject: Re: Security Template does not apply folder permissions [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Jesper wrote:
> You can't create a template that just sets the inheritance bit in the GUI.
> You have to hand-edit the template to do that. Here is a sample template that
> does it:
> [Unicode]
> Unicode=yes
> [Version]
> signature="$CHICAGO$"
> Revision=1
> [File Security]
> 1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"
>
>
> The D:AI is the part that does the trick. Replace the name of the file that
> I have with the folder name and you should be good to go.

I just tried using the GUI on my work computer, and it worked. Here is
the template that the GUI saved:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%SystemDrive%\test\noinherit",0,"D:AR"


So it has D:AR instead of D:AI, and it doesn't have "1=" at the
beginning of the line. Is there any documentation that explains the
syntax of the security templates?

Now I wonder why it worked on my work computer, but not on my home
computer.
 >> Stay informed about: Security Template does not apply folder permissions 
Back to top
Login to vote
Jesper

External


Since: May 09, 2005
Posts: 87



(Msg. 4) Posted: Tue Jan 02, 2007 10:49 am
Post subject: Re: Security Template does not apply folder permissions [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
I put a bit of syntax into Protect Your Windows Network
(http://www.protectyourwindowsnetwork.com). Microsoft has never documented
the syntax that I know of.

The syntax of the ACL is quite straight-forward though. It is just SDDL.
D:AR means "Auto-Inherit Required." It means that the ACL _should_ inherit
from the parent. D:AI means that the ACL _is_ inherited from the parent.
Normally, AI would never be set programmatically. It would be set when the OS
propagates inheritance from a parent to a child, so that programs can
determine that this has been done. AR is what programs should set to indicate
that they want this propagation to be done. However, setting AR does not
actually initiate a propagation. Prior to Windows Vista, there was no
documented way to actually trigger the propagation. However, secedit can do
it, if you use D:AI in the template. Doing so causes secedit to actually
start a propagation to this directory. This does not work in any other tool
that I have been able to find and is not documented. In fact, I am not sure
it was even intentional that it work that way.

In Windows Vista you can trigger a propagation with icacls /reset, so the
trick with using D:AI is no longer needed there.

" " wrote:

> Jesper wrote:
> > You can't create a template that just sets the inheritance bit in the GUI.
> > You have to hand-edit the template to do that. Here is a sample template that
> > does it:
> > [Unicode]
> > Unicode=yes
> > [Version]
> > signature="$CHICAGO$"
> > Revision=1
> > [File Security]
> > 1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"
> >
> >
> > The D:AI is the part that does the trick. Replace the name of the file that
> > I have with the folder name and you should be good to go.
>
> I just tried using the GUI on my work computer, and it worked. Here is
> the template that the GUI saved:
>
> [Unicode]
> Unicode=yes
> [Version]
> signature="$CHICAGO$"
> Revision=1
> [File Security]
> "%SystemDrive%\test\noinherit",0,"D:AR"
>
>
> So it has D:AR instead of D:AI, and it doesn't have "1=" at the
> beginning of the line. Is there any documentation that explains the
> syntax of the security templates?
>
> Now I wonder why it worked on my work computer, but not on my home
> computer.
>
>
 >> Stay informed about: Security Template does not apply folder permissions 
Back to top
Login to vote
void.no.spam.com

External


Since: Jan 15, 2006
Posts: 6



(Msg. 5) Posted: Wed Jan 03, 2007 10:54 pm
Post subject: Re: Security Template does not apply folder permissions [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Jesper wrote:
> I put a bit of syntax into Protect Your Windows Network
> (http://www.protectyourwindowsnetwork.com). Microsoft has never documented
> the syntax that I know of.
>
> The syntax of the ACL is quite straight-forward though. It is just SDDL.
> D:AR means "Auto-Inherit Required." It means that the ACL _should_ inherit
> from the parent. D:AI means that the ACL _is_ inherited from the parent.
> Normally, AI would never be set programmatically. It would be set when the OS
> propagates inheritance from a parent to a child, so that programs can
> determine that this has been done. AR is what programs should set to indicate
> that they want this propagation to be done. However, setting AR does not
> actually initiate a propagation. Prior to Windows Vista, there was no
> documented way to actually trigger the propagation. However, secedit can do
> it, if you use D:AI in the template. Doing so causes secedit to actually
> start a propagation to this directory. This does not work in any other tool
> that I have been able to find and is not documented. In fact, I am not sure
> it was even intentional that it work that way.
>
> In Windows Vista you can trigger a propagation with icacls /reset, so the
> trick with using D:AI is no longer needed there.

Thanks for the info. Hand editing the template would be a last resort,
as every time I use the GUI to change the template, I would need to
remember to edit it.

I was also able to get the problem to happen on my work computer. More
details in this other thread:
http://groups.google.com/group/microsoft.public.win2000.security/brows...rm/thre
 >> Stay informed about: Security Template does not apply folder permissions 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Security template contents - Is there a document/reference that lays out the settings in a security template? An example follows - [File Security] "%SystemRoot%\system32\tftp.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)"..

Will Windows security template affect firewall's operation? - I have the CHX-I firewall (actually a really powerful packet filter) installed on my Windows 2000 system. It lets you configure some fairly low-level settings, like limiting the number of half-open connections from a single host, and activating SYN floo...

duplicating a corrupted profile (including security+permis.. - For solving a problem regarding (i.e., replacing) a corrupted profile (e.g., see http://groups.google.ca/group/microsoft.public.windowsxp.help_and_support/browse_thread/thread/11fe45bb7d8259a6?hl=en ....) it has been suggested I transfer to a new profile...

Where is security tab for folder right click? - I'm logged into XP SP2 as an admin. When I right click a folder in Windows Explorer, I don't see a security tab. I have these tabs: General, Sharing, Customize. I'd like to add a user to this folder with specific permissions. How do I get the securit...

Problems with folder security - Hello, I have two partitions, C and D both NTFS. At one time, I was able to write to my Program Files that resides on D. However, since I joined this computer to the domain (Small Business Windows 2003 Server), I have not been able to write to the..
   Windows XP (Home) -> XP Security Admin All times are: Eastern Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum

Categories:
  Windows XP
 Windows Vista!
 Win 2000/NT/98/ME

[ Contact us | Terms of Service/Privacy Policy ]