none
Can't add permissions to %windir% RRS feed

  • Question

  • I created an image using ICE and it deployed just fine. The issue I have is that I can't modify or add new security permissions to anything in the %windir% directory. I'm logged in as administrator and I still can't do it. Not sure what I need to do to be able to modify the security settings.
    Monday, October 25, 2010 10:42 PM

Answers

  • An update:

    It turns out that the owner of the entire windir is TrustedInstaller. I guess that is done to protect the dir from malicious programs making changes. The issue is that the permissions set for the user accounts are extremely restrictive so in my case, I couldn't even run ASP.net because the .net framework directory didn't have execute permissions. I need to learn more about TrustedInstaller and how to work with it as it seems to be a good thing so that the windir can remain locked down but there seems to be little to no documentation about it.

    Anyhow, for other that are struggling with this, you basically have to change the ownership of the windir (or the specific folder you are interested in) to a user or group of you choice by going to the folder and selecting properties -> security -> advanced -> owner tab and changing the ownership of the folder. Make sure to check the "Replace owner on subcontainers and objects" if you want to change the ownership of the subdirectories as well. Once this is done, you'll be able to change the permissions of the folder as long as you are logged in with an account that is the owner of the folder.

    • Marked as answer by xAragornx Wednesday, October 27, 2010 12:05 PM
    Tuesday, October 26, 2010 12:31 PM

All replies

  • An update:

    It turns out that the owner of the entire windir is TrustedInstaller. I guess that is done to protect the dir from malicious programs making changes. The issue is that the permissions set for the user accounts are extremely restrictive so in my case, I couldn't even run ASP.net because the .net framework directory didn't have execute permissions. I need to learn more about TrustedInstaller and how to work with it as it seems to be a good thing so that the windir can remain locked down but there seems to be little to no documentation about it.

    Anyhow, for other that are struggling with this, you basically have to change the ownership of the windir (or the specific folder you are interested in) to a user or group of you choice by going to the folder and selecting properties -> security -> advanced -> owner tab and changing the ownership of the folder. Make sure to check the "Replace owner on subcontainers and objects" if you want to change the ownership of the subdirectories as well. Once this is done, you'll be able to change the permissions of the folder as long as you are logged in with an account that is the owner of the folder.

    • Marked as answer by xAragornx Wednesday, October 27, 2010 12:05 PM
    Tuesday, October 26, 2010 12:31 PM
  • I turns out my issue is ASP.net specific. I guess the security settings are pretty standard across win7 and I didn't really need to modify them. I'm still stuck as I can't execute my ASP.net app but I will post the issue on another thread.
    Tuesday, October 26, 2010 2:02 PM