This article details the way to retrieve the security settings of a file or folder in order to implement it in a script.

Then, this script can be added in the package using a custom action for example.

.

1. Security VBScript

To grant permissions on files or folder, the following kind of script can be used.

PackInventory="PackageName"
DestinationLog = "C:\temp"
DestinationFolder = "C:\temp"


Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("wscript.shell")
Set WshUsrEnv = WshShell.Environment("Process")


InfFile = PackInventory & "-Security.inf"
LOGFILE=chr(34) & DestinationLog & "\" & PackInventory & "-Security.log" & chr(34)
EDBFILE=chr(34) & DestinationLog & "\" & PackInventory & "-Security.edb" & chr(34)


'INF file creation
Set FileCreation = fso.CreateTextFile(DestinationFolder&"\"&InfFile, True)
FileCreation.WriteLine("[Unicode]")
FileCreation.WriteLine("Unicode=yes")
FileCreation.WriteLine("[Version]")
FileCreation.WriteLine("signature=" & chr(34) & "$CHICAGO$" & chr(34))
FileCreation.WriteLine("Revision=1")
FileCreation.WriteLine("[File Security]")
FileCreation.WriteLine(chr(34) & "%ProgramFiles%\Soft\Folder" & chr(34) & ",0," & chr(34) & "D:AR(A;OICI;0x1301bf;;;BU)" & chr(34))
FileCreation.WriteLine(chr(34) & "%SystemRoot%\system32\File" & chr(34) & ",0," & chr(34) & "D:AR(A;;0x1301bf;;;BU)" & chr(34))
FileCreation.Close


'INF file execution
ExecuteInf = "secedit /configure /DB " & EDBFILE & " /CFG " & DestinationFolder & "\" & InfFile & " /areas FILESTORE /log " & LOGFILE
WshShell.Run ExecuteInf, 1, True


'INF file deletion
fso.DeleteFile(DestinationFolder&"\"&InfFile)

.

In this example, the “D:AR(A;OICI;0x1301bf;;;BU)” setting grant full access to all users.

The question is how to determine that setting…

.

.

2. Retrieving Security Settings

To retrieve the security settings of a file or folder, Windows Security Templates can be used.

In Windows 7, the security template INF file is the following:

“C:\Windows\inf\defltbase.inf”

.

• Copy defltbase.inf in a working directory (for example C:\Workdir)
• Launch the mmc console

File > Add/Remove Snap-in…

.

Select “Security Templates” and add it

.

• Right click “Security Template” > New Template Search Path… and indicate the location of the copied defltbase.inf file

• Right click “File System” > Add File…
  • Select a file (it can be any file because we just want to retrieve security settings…). For example: “C:\workdir\SecurityTest.txt”
  • Set security settings. For example full access for administrators and only read access for users)

Apply

OK

.

Select “Propagate inheritable permissions to all subfolders and files”

OK

.

The file appears in the list

.

Right click “defltbase” > Save as

.

Save the INF file (for example SecurityTest.inf)

 

• Edit the generated INF file
• In the “File Security” section, find the line corresponding to the file and retrieve the security settings.

.

• Copy then pastes the setting in the script.