Trying to lock down a windows 2000 server machine so that the end user
does not have access to certain facilites (e.g. regedit).

Unfortunately, we've tried deleting the files in question, but Windows
File Protection replaces them. On SP4, its also a little difficult to
disable this.

So, another idea is to change the permissions on the files so that only
admin has access (end user does not have admin access). Will this work?
Or will WFP change the access rights back as well?

If we can do this, is there any way to automate setting, say, 20 files
to these permissions without having to manually change the permissions
individually? Like a batch file or something? (Got lots of machines to
do).

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Trying to lock down a windows 2000 server machine so that the end user
> does not have access to certain facilites (e.g. regedit).
>
> Unfortunately, we've tried deleting the files in question, but Windows
> File Protection replaces them. On SP4, its also a little difficult to
> disable this.
>
> So, another idea is to change the permissions on the files so that only
> admin has access (end user does not have admin access). Will this work?
> Or will WFP change the access rights back as well?
>
> If we can do this, is there any way to automate setting, say, 20 files
> to these permissions without having to manually change the permissions
> individually? Like a batch file or something? (Got lots of machines to
> do).
>

Windows File Protection runs most likely under the System account,
hence if you include this account in your permissions you won't
cause a problem.

@echo off
cacls %SystemRoot%\system32\regedit.exe /e /r "domain users" /d SomeUser /g
system:F
cacls %SystemRoot%\system32\eventvwr.exe /e /r "domain users" /d SomeUser /g
system:F
etc.

You have to check your current permissions to come up with
the correct switches. When you get it right, run the batch file
from your own machine, using psexec.exe (www.sysinternals.com).

Pegasus (MVP) wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Trying to lock down a windows 2000 server machine so that the end user
> > does not have access to certain facilites (e.g. regedit).
> >
> > Unfortunately, we've tried deleting the files in question, but Windows
> > File Protection replaces them. On SP4, its also a little difficult to
> > disable this.
> >
> > So, another idea is to change the permissions on the files so that only
> > admin has access (end user does not have admin access). Will this work?
> > Or will WFP change the access rights back as well?
> >
> > If we can do this, is there any way to automate setting, say, 20 files
> > to these permissions without having to manually change the permissions
> > individually? Like a batch file or something? (Got lots of machines to
> > do).
> >
>
> Windows File Protection runs most likely under the System account,
> hence if you include this account in your permissions you won't
> cause a problem.
>
> @echo off
> cacls %SystemRoot%\system32\regedit.exe /e /r "domain users" /d SomeUser /g
> system:F
> cacls %SystemRoot%\system32\eventvwr.exe /e /r "domain users" /d SomeUser /g
> system:F
> etc.
>
> You have to check your current permissions to come up with
> the correct switches. When you get it right, run the batch file
> from your own machine, using psexec.exe (www.sysinternals.com).

Thansk for the help.

Could I use :-

cacls <filename> /d <groupname>

or do I have to specify exact user name?

Can u use wildcards to specify ALL users ?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Pegasus (MVP) wrote:
> > <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Trying to lock down a windows 2000 server machine so that the end user
> > > does not have access to certain facilites (e.g. regedit).
> > >
> > > Unfortunately, we've tried deleting the files in question, but Windows
> > > File Protection replaces them. On SP4, its also a little difficult to
> > > disable this.
> > >
> > > So, another idea is to change the permissions on the files so that
only
> > > admin has access (end user does not have admin access). Will this
work?
> > > Or will WFP change the access rights back as well?
> > >
> > > If we can do this, is there any way to automate setting, say, 20 files
> > > to these permissions without having to manually change the permissions
> > > individually? Like a batch file or something? (Got lots of machines to
> > > do).
> > >
> >
> > Windows File Protection runs most likely under the System account,
> > hence if you include this account in your permissions you won't
> > cause a problem.
> >
> > @echo off
> > cacls %SystemRoot%\system32\regedit.exe /e /r "domain users" /d SomeUser
/g
> > system:F
> > cacls %SystemRoot%\system32\eventvwr.exe /e /r "domain users" /d
SomeUser /g
> > system:F
> > etc.
> >
> > You have to check your current permissions to come up with
> > the correct switches. When you get it right, run the batch file
> > from your own machine, using psexec.exe (www.sysinternals.com).
>
> Thansk for the help.
>
> Could I use :-
>
> cacls <filename> /d <groupname>
>
> or do I have to specify exact user name?
>
> Can u use wildcards to specify ALL users ?
>

You can use user names or group names.
Wildcards are not acceptable.
"Everyone" is a valid group.

> You can use user names or group names.
> Wildcards are not acceptable.
> "Everyone" is a valid group.

Thanks one again.

So could I deny "Everyone" access and then explicitly grant access to a
user called "admin" (or by denying everyone I'd lose the right to
change permissions for all users including admin ?)

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> > You can use user names or group names.
> > Wildcards are not acceptable.
> > "Everyone" is a valid group.
>
> Thanks one again.
>
> So could I deny "Everyone" access and then explicitly grant access to a
> user called "admin" (or by denying everyone I'd lose the right to
> change permissions for all users including admin ?)
>

Denying access to "everyone" is not a good idea, for
the reasons you mention. You can actually recover
from this situation by seizing ownership of the folder.