Hello,

attempting to make the work with tools like CACLS.exe, XCACLS.vbs (with CScript.exe) and ICACLS.exe a little easier, I have developed a script and built it into a new action. After the installation, you will be able to make calls to the proper application that should be used on the target operating system.

You can fetch the zip file containing the installer, documentation and a small sample project at this address (http://www.mindquake.com.br/files/suf/SetFolderPermissions.zip).

After the scripts were copied into the correct sub folders of Setup Factory, you must add two files to your project:

Add XCALCS.vbs to your list of primer files.
Add SetFolderPermissions.lua to your script files (next to _SUF70_Global_Functions).


Now you are already able to include this new action into your scripts. As soon as you type the dot, the new function will be shown in the drop-down menu, as you can see in this image:

http://www.mindquake.com.br/files/suf/SNAG-090716-05.png

The action wizard makes the passing of the parameters as easy as possible:

Set the user or group that the action should affect:
http://www.mindquake.com.br/files/suf/SNAG-090716-01.png
If you use the options in the drop-down, the corresponding SIDs will be used. (SIDs are security identifiers in Windows operating systems and look as gibberish like "S-1-5-20".) This means, when you set "Everybody", it will still work correctly on non-English Windows operating systems, where this user group has a different, localized name.


Now set the operation. Are you giving a new right, or taking something away?
http://www.mindquake.com.br/files/suf/SNAG-090716-02.png


Set the right you want to control, like read, write, execute, full access.
http://www.mindquake.com.br/files/suf/SNAG-090716-03.png


Finally, you may want to set the same rights for child items as well, instead of just the folder.
http://www.mindquake.com.br/files/suf/SNAG-090716-04.png



You can inspect the exact syntax of the command that was created (using CScript.exe or ICACLS.exe) in the installer's log file, so this will allow you to review the parameters (and execute the command manually) if something is not working as you expected.

This script is provided as-is, without guarantees that it will work in every case. I will attempt to fix problems, of course. However, this work is not officially supported by Indigo Rose. You can edit the script and modify it further to fit your requirements.

Ulrich

Nicely done, and well implemented.

Thank you.
-josh

Hi Ulrich,

my Trend Micro OfficeScan alerts me, that the downloaded file from "this address" has a potential security risk named "Possible_Movely-1".

So I couldn't check it out.

Greatings,
Udo

Trend Micro is the only vendor constantly identifying setups build with Setup Factory as "possible Movly". Yes, they were contacted by Indigo Rose. Repeatedly.

http://www.virustotal.com/analisis/9e43aa6ecde982f0e78469ae75f0c6dad9e50e970d399bd9d9 1c4d22e30acacc-1248706331

Ulrich

Nice one. I have been using XCACLS.vbs on Win2003 servers for ages in SUF but always end up writing the code long hand. This may save me some heartache in remembering the syntax every time.

Thanks - John

Hello,

earlier this week I was informed about a small mistake in my script by a user and have since updated the file available for download. Those who downloaded the script before will need to make a correction manually, or reinstall (http://www.mindquake.com.br/files/suf/SetFolderPermissions.zip) with the corrected version.

In line 138 of the SetFolderPermissions.lua script (that you should find in the Includes\Scripts sub folder of your Setup Factory installation), you might see

sFlag = "/T";
Please modify this line to

sFlag = " /T";
just by inserting a space before the slash.

Ulrich

You, sir, are a life-saver. I've been struggling with XP's antiquated ACL and Vista-ish UAC for some time now and have not been able to avoid having customers take post-install steps -- until now. I implemented this action and now life is good again.

Hi Ulrich,

that's really great stuff! Thank you for this.

Besides, I've a problem with some folders after the installation.

I did everything like you said in the PDF but the permissions of those folder won't be changed. Don't get this is happened. maybe you could help me. Here's what i did:

Folder.SetPermissions(SessionVar.Expand("%AppFolder%\cfg\folder"), "Authenticated Users", "Revoke", "Modify", true);
Folder.SetPermissions(SessionVar.Expand("%AppFolder%\cfg\folder"), "Authenticated Users", "Revoke", "Write", true);

I'm not sure at all, whether is this right or wrong. I mean this part:

SessionVar.Expand("%AppFolder%\cfg\folder")

I did it in the wrong way, right? ;)

Maybe you can help me. I don't have any clue about it.

Thank you in advance!

-Bobby

Should be


Folder.SetPermissions(SessionVar.Expand("%AppFolder%\\cfg\\folder"), "Authenticated Users", "Revoke", "Modify", true);
Folder.SetPermissions(SessionVar.Expand("%AppFolder%\\cfg\\folder"), "Authenticated Users", "Revoke", "Write", true);

Note the double backslash

Rgds John

Oh, of course, the double backslash!

Thank you very much!

What about file permissions?

I'm having a problem with this on Vista Business...


Folder.SetPermissions(foldername, "Everybody", "Grant", "Execute", true);

Only sets permissions as "Special permissions" and not as Execute as expected.

Actually, regrdless of which user and which permissions are granted, the result is the same each time...

Only sets permissions to "Special permissions" which does not allow write, execute or modify.

You might want to try to execute the command manually - the exact syntax used is written into the log file.

Ulrich

You might want to try to execute the command manually
Ulrich

I can't see what that would do as I need the permissions to be set on the user's computer. The applcation uses an access database and unless the permissions are to modify by Everyone or Authenticated Users, the the app won't run unless "Run as Administrator".

It would help you figure out which permissions (command line switches) you would have to set to achieve the results you need. The SetFolderPermissions script is just user friendly interface to CACLS/ICACLS, and calling the program directly would be quicker to debug the mistake.

Ulrich

Well it seems that the "revoke" command is illegal, so I removed that line and just ran with...


Folder.SetPermissions(foldername, "Authenticated Users", "Grant", "Full", true);

The log reports...

icacls.exe foldername /T /grant User:F /Q

Regardles of whether I set for Modify or Full, it only sets "Special permissions" which are of no use to me. Dunno what the "/Q" at the end is.

The script is sort of working... when the permissions are applied by the script to the database folder, the permissions set on the database are ok, but it's the permissions set on the folder that may be the problem... only as "Special permissions" instead of "Full".

Where it causes a problem is that when the app calls the database it creates a .ldb file. Unless I have permissions on the folder for 'Full", not running as admin causes a database read error. I can set the permissions manually and everything works ok, but I cannot set the permissions on the folder by script or commandline.

Perhaps the command is missing something.

I'm having problems with this script/addon. I follow the instructions provided and the user/group is added to the list for that folder (if not previously there), however the actual permissions are not there. If the code applies to a user/group that already exists on that folder, then no change is made at all.


Folder.SetPermissions(AppFolder, "Users", "Grant", "Full", true);

I'm using Setup Factory 8 on Windows 7 Ultimate.

Am I doing something wrong? Thanks.

What is the actual command that is executed, as written into the log file?

Ulrich

Log files states:

C:\Windows\system32\icacls.exe "C:\TestApp1" /T /grant "Users":F /Q

But shouldn't it be...?:

C:\Windows\system32\icacls.exe "C:\TestApp1" /grant:r "Users":(OI)(CI)F

If I type that second line into a command prompt manually, it works. Is this a difference in Windows 7 or something? I really don't know.

The ":r" will cause the current access rights to be replaced with the new setting, instead of adding the new right to the current ones. You can add the "(OI)(CI)" to the parameters by editing the script, if you wish to set the inheritance rights.

Ulrich

Well, the two lines are different enough to make me believe that I've done something wrong with the first one. Also because one works and the other doesn't. Any idea why the first line (which is from the GUI that you made) isn't working?

Also, how would I manually apply a command myself? I tried this (below) but it did not work.

File.Run("ICACLS.exe", "/grant:r \"Users\":(OI)(CI)F", "C:\\Windows\\System32", SW_MINIMIZE, true);

You need to inform the full path to the program, not just it's name. You can see in the script how it should be done.

Ulrich

Got it. Thanks!