Re: [Updates] Re: More Before-The-Fact-Isms II

From: Gordon Fecyk (
Date: 01/22/05

Date: Sat, 22 Jan 2005 10:21:27 -0600

> Are you sure the problem is with all rights [including execute] in the
> entire user profile [and not just certain files]? I would expect the main
> thing necessary is permissions on the ntuser*.* files in the root of the
> profile, and I would be surprised if execute was necessary.

That seems to be the case. If I remove Execute for files, Win2K can't save
the profile back to the server holding it. It also can't load it back.

When I set up the logon and logoff scripts as described, and have the logoff
script restore permissions to their defaults, Win2K was able to save the
profiles and load them back.

> I would be afraid to depend on logon batch files executing as users for
> security. Logon scripts tend to fail or stop working from time to time
> you may never know it.

That's why I specified them in the local computer policy instead of putting
the script in the startup group, and had them call local executables instead
of executables stored on a server.

I also had to specify "Run logon scripts synchronously - Enabled" to make
sure the local logon script launches before explorer.exe does.

If there were a way to actually specify the user profile ACL through
something like group policy, I'd have done so. As you pointed out, though,
propagating ACLs through group policy is a performance hog, and as I've
pointed out, doesn't work for %userprofile%.

> I think to be able to run those files, either you have to allow users to
> modify the permissions on the entire profile folder, or try to run the
> file under a different account.

The scripts actually go in %systemroot%\system32\GroupPolicy, which limited
users have Read and Execute access to. And that's all they need there. The
user doesn't have any say about whether the scripts run or not - they just

Do you have Norton Ghost or Symantec Ghost 2003? I can prepare an image set
up with what I'm talking about and you could try bashing away at it. I can
make the image as generic as possible (standard PC, standard video, standard
IDE drivers, etc) so it will boot on any PC that can run Win2K.

As for the effort put into all of this, well, the research is done and
implementing it takes a bunch of mouse clicks, but they could be saved as
either a group policy or a disk image. There are immediate benefits - I can
allow ZIP attachments unrestricted again because users won't be able to run:

"dancinggirls.jpg .exe"

...from the zip file.

There are still ways around this. VBS and JS scripts run without regard to
the ACL - this is a fault of the Windows Scripting Host. cmd.exe can also
launch batch files without regard to the ACL, where explorer.exe checks the
ACL first. But I understand that Internet Explorer needs to actually have a
copy of the script in Temporary Internet Files to run those scripts.
Perhaps the Windows Scripting Host should check the ACL only if the script
is launched in the My Computer or Local Intranet zones.

PGP key (0x0AFA039E): <>
What's a PGP Key?  See <>