tools ot Modify DACL of remote machine

Viewing 9 reply threads
  • Author
    Posts
    • #7168
      maddy
      Participant

      HI,
      I m bit in a situation where most of the machines has been reported with services installed by business applications with improper DACl permissions.
      Authenticated Users may change the configuration of service. looking for the tool solution to apply the DACL permissions  remotely.

      Thanks in advance

    • #44768
      Triban
      Participant

      Powershell might work so long as you have local admin rights to the system.  There are also some GPO tools as well.

    • #44769
      dynamik
      Participant

      If you can’t use Powershell, psexec and icacls should do the trick.

    • #44770
      l33t5h@rk
      Participant

      @dynamik wrote:

      If you can’t use Powershell, psexec and icacls should do the trick.

      Yep – these can all do it. If you don’t have powershell, figure out what the ACL should look like, write out the icacls.exe command & variables, then save it in a batch file and script it out to the other boxes.

      What OS(es) are involved? All W2K3?

    • #44771
      maddy
      Participant

      Thanks for the reply…
      All the reported boxes are windows Xp Sp3

    • #44772
      l33t5h@rk
      Participant

      If you’re just trying to add:
      psexec \srvName icacls.exe D:temp* /grant user-name:(D,GR,X)

      Obviously it will need a little tweaking w/ the switches but this should do you for a starter.

    • #44773
      maddy
      Participant

      Thanks for the response.
      Currently i m using subinacl.exe for fixing the dacl permission of Services.
      This sounds to be good tool to fix the permission of services.

    • #44774
      maddy
      Participant

      Since the SUBINACL is working fine…looking for proactive solutions via Group policy…ANy suggestions….

    • #44775
      dynamik
      Participant
    • #44776
      tturner
      Participant

      I have a few of these scripts in Powershell I posted to my blog at http://sentinel24.com/blog/?page_id=51 . One example recurses through a file structure and adds permissions for a user

      (FYI – I use the long form for Powershell syntax when writing tutorials but you can make this much shorter using gci, gwmi, ft, etc)

      Get-ChildItem -recurse * | ForEach-Object -process { $_.FullName } | % { c:subinacl.exe /file $_ /grant=domainusername=F}

      Obviously this won’t work for services, so how to accomplish the same thing?

      First I want to enumerate services, but I want to sort based on startmode and name and suppress everything except for the service name. (no status or table headers for example)

      Get-WmiObject -computer computername win32_service | sort startmode, displayname | Format-Table -property Displayname -HideTableHeaders

      I’m not 100% sure what you are hoping to accomplish here, but if you wanted to add an account entry for each of those you can combine the 2 scripts into something like

      Get-WmiObject -computer computername win32_service | sort startmode, displayname | Format-Table -property Displayname -HideTableHeaders | ForEach-Object -process { $_.FullName } | % { "C:Program FilesWindows Resource KitsToolssubinacl.exe /service $_ \computername$_ /grant=domainusername=F"}

      http://ss64.com/nt/subinacl.html has additional subinacl syntax and is what I used when writing the scripts at my blog.

      *Edit* While my way is more fun (I am addicted to making Powershell 1 liners!), I’d suggest checking out ajohnson’s suggestion as that’s probably closer to what you are looking for. 🙂

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?