Different ACL on Documents and Settings

J

Jim

I am missing something .... Using the XP Security Guide
standalone configuration scripts to secure clients in an
NT domain. Regardless, permissions on Documents and
Settings is set to "Everyone" full control. This laptop
has never been used and has all the latest patches. I
believe the setup security template sets this to do not
replace security. This is not right but I've seen other
systems that have Admins and System getting FC, Power
Users get modify and Users get Read and Execute.
Everyone is removed. This is the setup on systems that
have not had anything done to them other than the latest
patches applied.

Can anyone explain why?
 
R

Roger Abell

I would take a shot at what you are experiencing but I am
not sure that I am following you.
Which script or template is it that you have tried that
reverted the permissions on Documentas and Settings
in this way?
The out of the box gives System and Adminsitrators FC,
and give list/read/execute to Users, Power Users, and
Everyone. However, notice that each profile folder just
within Documents and Settings blocks inheritance so
these settings apply only to the Documents and Settings
folder and the Default User subfolder (that does inherit).
The All Users folder does not inherit but is almost exactly
the same except that Power Users gets Modify

I am familiar with the templates from the hardening guide
but have not noticed them reverting these to dumb settings.
 
J

Jim

Thanks. I guess I was not that clear but you did
understand what I was trying to say which I guess comes
from the experience of answering these posts ...

I was setting up the first notebook in preparation for
imaging to others. These are all HP/Compaq notebooks
which have the OEM image. I went through power up, mini
setup and other customization including running the
script from the XP Security Guide. I've now looked at
another system. On this system (which had not had the
security guide changes applied) the root drive and
c:\Documents and Settings have permissions of Everyone
getting FC. Wrong. It looks to me like it is not the
script causing the problem but the initial OEM setup.
The script first reapplies setup security from the
c:\windows\repair\secsetup.inf template. This sets the
root ACL properly and then sets the c:\Documents and
Settings to prevent propagation of changes. The first
time through I would assume this would work fine but
rerunning the setup security is not working because
propagation is inhibited. I have fixed this manually,
however, is there no way to restore file system ACL's as
if it were a clean install?? Thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to test MDS (Zombieload) patch status on Windows systems 1
Any reason NOT to remove "CREATOR OWNER" from NTFS ACL? 0
Reorder ACL 0
documents and settings security 1
Setting file permissions (acl) with WORKGROUP server & XP Prof cli 1
Word 2007 auto correct fiel MS02057.acl 1
Can't install software 4
No access on shares WinXPSP2 from Windows Server 2003 SP2 1

Top