Re: Deny _WRITE_ access to a file

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/01/05

  • Next message: Roger Abell: "Re: Force users to use the same profile" 
    Date: Mon, 28 Feb 2005 22:12:30 -0700

    Al is quite right in picking up on your mention of use in a
    login script - which skipped my attention.
    To do as you had planned you would need to do this in
    a startup/shutdown script, not login/logoff script.

    However, you really, really would IMO be better off by
    restructuring so that all files with this requirement are in
    a folder with appropriate grants, not mixed in with other
    files in a folder where the default NTFS permissions will
    need to be changed. 

    -- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Javier J" <no.mail@please.no> wrote in message
news:cvc321lamb3mjim61lkfadd8f72kcdhc39@4ax.com...
> Hi all!
>
> I want to make sure that a group of users can't WRITE a set of files
> that they have to be able to READ. The files belonging to that set
> might change over time, so I want to make it part of a logon script.
>
> The problem is, I can use CACLS / XCACLS to DENY ALL access to the
> file. or to GRANT read, write, etc privileges to the files.. But I
> can't use them (or, probaby, I don't know how to do it) to just deny
> write permissions for a given group.
>
> Is there some util that I might use, or do I have to resort to VBS to
> accomplish what I need to do? IF that's the case, HOW do I do it
> (sadly, whie I'm quite adept at batch scripting, VBS is not my forte).
>
> Thanks a lot.
>
> Javier J
  • Next message: Roger Abell: "Re: Force users to use the same profile"

    Relevant Pages

    • Re: Some new SSH exploit script?
      ... You see, rather than do all this, I think it's much much smarter to turn over the logs more, and write a script that outputs the log - without the script kiddies if it really bothers you. ... If 3 people connect to this port, by all means, but just moving the port to decrease your viability of hacktards isn't smart. ... echo "Deleted all rules numbered $RANGE and added the following rules:" ... CMDTEMP=`echo "$IPFWCMD add $ENDIPFW deny ip from $IP to any"` ...
      (Pen-Test)
    • Re: User Account Options
      ... ntSecurityDescriptor is not an attribute. ... Both remove the deny ACE's from ... properties and not getting anything from script. ... some times about 30 minutes all permission changed with other permission ...
      (microsoft.public.windows.server.active_directory)
    • Re: how to restrict users to search in their own Organizational Unit
      ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
      (microsoft.public.windows.server.active_directory)
    • Re: how to restrict users to search in their own Organizational Unit
      ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
      (microsoft.public.windows.server.active_directory)
    • Re: Deny rules...
      ... I have created the deny rule both ... Created rule by script. ... - Was a Packet Filter created by the Blockattacker script? ... >> If you are writing code to populate a Client set, ...
      (microsoft.public.isa)