The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File Permissions problem

CChong
By Level 11 Flexeran
Level 11 Flexeran
I am using AdminStudio Pro 3.5 to repackage applications for delivery to Windows XP clients from a Windows 2000 Active Directory.

I have an app that was supplied with an .msi file and I have used Tuner to create a transform for this .msi. Included in the transform are file permission changes for the app's installation directory C:\Program Files\AppName, because the application insists on writing user config data to it's install directory.

I have used the LockPermissions table to give the local Users group Modify access to this dir (along with retaining the standard Admin, Power Users, etc permissions).

The application will be a user assigned app in the AD, therefore I am testing it using msiexec with the /ju and /t switches.

My problem is as follows;
When I test the app as a user with local admin rights it works perfectly and applies the correct file permissions. However, when I run it as a standard user the file permissions are not applied, the directory instead inherits the permissions from C:\Program Files.

It's worth mentioning that the test userid is in a container in the AD that has the "Always install with elevated privileges" policies enabled.

Any ideas would be greatly appreciated.

Regards,
Dave
(1) Reply

baking
By
Level 3
One way to get around this is to run a Custom Action in the system context and use the cacls.exe command. This probably isn't the answer your looking for, but I've used it in the past when I couldn't get LockPermissions to behave like I wanted.

Displays or modifies access control lists (ACLs) of files
CACLS filename [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
********************************************
To put in a custom action:
The CACLS.EXE command line utility does not provide a /Y switch that automatically answers with Y for Yes to the ARE YOU SURE? Y/N prompt. However, you can use the echo command to pipe the character Y as input to the ARE YOU SURE? Y/N prompt when you call Cacls.exe in a batch file.

To programmatically answer with Yes to the ARE YOU SURE? Y/N prompt during batch file execution, use the following command line in your batch file:

echo y| cacls filename /g username:permission

NOTE: Do not type a space between the "y" and the pipe symbol (|), otherwise, Cacls.exe fails to make the permission changes.