I currently have to change permissions for all local users on cmd.exe.
So far I have taken the ownership of the file and changed the permissions in the way i need it.
My problem is, that I cant figure out, how to give the ownership back to TrustedIntstaller.
Below you can see the code I worked out so far. It changes the permissions and throws no errors, but after the script ran the owner is still set to System.
Iam using the Powershell App Deployment Toolkit and the script was executed as system-user.
Any help is appreciated. If there are other (better) ways of changing permissions in Windows-Folder please let me know as well.
$acl_old = get-acl "$envSystem32Directory\cmd.exe"
$owner_old = $acl_old.Owner
Execute-Process -Path "takeown.exe" -Parameters "/f C:\windows\system32\cmd.exe"
Execute-Process -Path "icacls.exe" -Parameters "$envSystem32Directory\cmd.exe /grant:r *S-1-2-0:(RX)"
$new_permission = get-acl "$envSystem32Directory\cmd.exe"
$new_owner_object = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$owner_old"
$new_permission.SetOwner($new_owner_object)
set-acl -Path $envSystem32Directory\cmd.exe -AclObject $new_permissions
I found a solution. Mine and boxdogs code are working. But it wasnt complete. In order to be able to restore TrustedInstaller als the owner some DLL and Privileges have to be loaded.
If anyone else is having this issue, here is a solution. After adding the DLL-Load and Privileges to my script it is working.
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell
Related
I have an little issue that I would like to hear your openion on:
After we twice have been infected with malware in hostingcenter - we desidet to host our Servers inhouse.
But for avoiding beeing infected again - we like to make some changes regarding permissions on local PC:
After gathering a lot of info - I found out that malware most likely install it self in these folders:
C:\Windows\Temp
%USERPROFILE%\Appdata\Local (Win 7/8/10/Vista)
%USERPROFILE%\Local Settings
Therefor I would like to remove the executeable bit from folder and subfolders - but is that wise - since most likely all programs are executed from %USERDATA%\AppData\Local - then no programs will run. I did try this - but couldn't start anything unless I changed it back
After googling a lot - I found out that this script is doing the most - but still having issues with ending up with all files are not executeable ???
# Get the ACL for an existing folder For $Users
$existingAcl = Get-Acl -Path 'C:\Windows\Temp'
# Set the permissions that you want to apply to the folder
$permissions = $env:username, 'ExecuteFile', 'ContainerInherit,ObjectInherit', 'None', 'Deny'
# Create a new FileSystemAccessRule object
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permissions
# Modify the existing ACL to include the new rule
$existingAcl.SetAccessRule($rule)
# Apply the modified access rule to the folder
$existingAcl | Set-Acl -Path 'C:\Windows\Temp'
Can someone point me the rigth way or tell me if this is no good and will destroy more than it solves
Thanks in advance
P
I Writing a script to automate the deployment of my platform but i cant figure out how to set an app pool to have the permissions with the code i have below it just inserts the text below with the app pool name. I assume this is because this is a frendily name and when you click check names normally it will fetch the correct user but i cant figure out hot to do this in powershell.
function Set_iis_perms {
param (
[parameter(position=0)]
$AppPoolName,
[parameter(position=1)]
$FileName
)
$acl = Get-Acl $FileName
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(("iis apppool\$Apppool_Name"),"Modify","Allow")))
$acl | Set-Acl $FileName
}
Even if someone can point me in the right direction i would be most thankful.
Kind Regards
Dom
Setting ACL via Get/Set-ACL and icacls is a really common thing and covered in many resources. Example(s):
Setting ACL on folder or file using PowerShell
This script will set folder permission on a folder (c:\1 and C:2) and
its sub folder. If the folder does not exist, it will create the
folder, set as shared and add the groups to the folder. Group_Name
has to be replaced with Actual Group.
Application Pool Identities
Setting permissions for ASP.NET application on IIS with
PowerShell
As per this StackOverflow Q&A
How can I add ACL permissions for IIS APPPOOL* accounts via
Powershell?
Set-Acl $directory $acl $user = New-Object
System.Security.Principal.NTAccount("$domain\\$username")
UPDATE: Seems that it won't accept the "IIS APPPOOL\AppPoolName" as an
NTAccount identifier. Now, there are two ways to accomplish what you
are trying to do:
Create a new SID object with the AppPoolIdentities SID and translate
it into an NTAccount, like this:
http://iformattable.blogspot.com/2007/12/convert-sid-to-ntaccount-with.html,
and you should be able to treat it like any other NTAccount object. If
you still want to be able to pass domain/usernames for real accounts,
built in some simple logic that defaults to the AppPool SID if
username is "AweSomeAppPool" and domain is empty, just as an example.
Use PowerShell to invoke icacls.exe, and use it to grant/revoke
whatever permissions you want, like this (first normal icacls form
command prompt, then powershell, notice the difference):
icacls.exe test.txt /grant "IIS AppPool\DefaultAppPool":(OI)(CI)M
cmd /c icacls test.txt /grant "IIS AppPool\DefaultAppPool:(OI)(CI)M"
Hey guys im trying to rename the ActionCenter.dll via our softwaredeployment software. In order to do that i have to take ownership of the file. By default its owned by TrustedInstaller
The software runs the scripts as a local user "baraInstLocal". The user seems to be deactivated when an installation is not running.
takeown.exe /F "C:\Windows\System32\ActionCenter.dll"
$Acl = Get-Acl "C:\Windows\System32\ActionCenter.dll"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("baraInstLocal","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Windows\System32\ActionCenter.dll" $Acl
Rename-Item "C:\Windows\System32\ActionCenter.dll" "C:\Windows\System32\ActionCenter.dll.backup"
When i run this i either get permission denied or file not found. Seems to be a problem because it is in the Windows Folder. Running the powershell ad admin didnt help.
Is there a way to do it?
Trying to push DSC I'm hitting the following error:
Failure to get a valid result from the execution of TestScript. The Test script should return True or False.
Here's the TestScript:
return (Test-Path -Path "FullPath:\To\File")
A couple things I've tried:
The Script resource has a (unmanaged) service account's credentials specified in the Credential parameter. Thinking it might not have permissions to the directory, causing Test-Path to error, I launched powershell as the user on the target machine and ran the cmdlet. It returned False (as expected). I've since made sure that the configuration gives the account permissions to the folder anyways.
Thinking it might be some weird idiosyncrasy with returning the cmdlet, I tried assigning the cmdlet to a variable and returning that. No dice.
Any ideas would be appreciated.
Edit: Here's the full resource, for those curious. It's basically just a couple quick lines to pull a script out of source control and place it locally so that I can create a scheduled task to run said script. Casting the result to a bool didn't work (same error). I'm wondering if it's even getting inside the TestScript at this point...checking get-executionpolicy shows it as undefined for the account but at the userpolicy, machinepolicy and localmachine level they're all bypass.
Script NameOfScript {
DependsOn = "[cNtfsPermissionEntry]DirectoryPermissions"
Credential = $serviceAccountPSCredentialObject
SetScript = {
Import-Module -Name Subversion
New-SvnWorkingCopy -Url "https://svnrepourl/script.ps1" -Path "E:\Scripts\"
}
TestScript = {
[bool]$result
$result = Test-Path -Path "E:\Scripts\script.ps1" -ErrorAction Stop
return $result
}
GetScript = { }
}
Try this
return ([bool]$testPath = Test-Path -Path "FullPath:\To\File")
Figured it out, with the help of this forum post. Initially I didn't think it'd be much help since I shouldn't be experiencing double-hop issues, but I'll explain why it's germane below. #TravisEz13 made the comment that the Credential parameter isn't used, but that is incorrect.
If you look at the Script resource, when you specify credentials this is how it runs the script blocks:
$scriptExecutionResult = Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $Credential
The service account in question doesn't have remote access to the machine. So when I launch powershell locally as that user and run the Test-Path cmdlet, it works, but when I try to run the above Invoke-Command with that account's creds, it returns an access denied error.
My solution was to write a module/resource for subversion checkout. Not just to get around this, but also because the subversion powershell module I was using above doesn't provide a means to pass credentials to the svn binary.
I am trying to share a folder with everyone and using the below command but it is not working.
NET SHARE Movies=C:\foldername "/GRANT:Everyone,FULL"
After runnign this command a message comes 'Movies Shared Successfully' but When i check folder permission it does not show the same.
Can anyone tell me the correct command?
your net share works just fine. To set the folder permissions you need to set the ACL permissions:
$sharepath = "C:\foldername"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
Set-Acl $SharePath $Acl
You will notice that "Everyone" will show up with full access permissions on the security tab of the folder.