SCCM 2012 Deployment How to change security permissions to specific folder using icacls with Application Detection rules

 

Problem Description:

Users (AD Security Group called: eskonr\domain Users) from specific project in the organization do not have admin privileges on their computers (don’t ask why)  .I have an application (Matrix ) which is installed using Configuration manager 2012 and users are using this application for their daily routine activities without any issues so far(without admin rights).

Recently ,due to some project requirement,they need to have full permissions to specific folders (C: \program files\matrix\3D or what ever) to modify some files and settings to get the application working  .

To grant full permissions or required permissions to specific folders for domain users or project users , You can use inbuilt windows command line Icacls.exe (Displays or modifies discretionary access control lists) .

I use this command line (icacls) to set permissions to specific folder ,but I need to check if OS architecture is X86 or X64 ,because the installation directory for this application varies.

To more about about the available syntax for Icacls.exe ,try Icacls.exe /? from cmd.exe

Below is the batch script that check if Architecture is 32 or 64 and then grant the required permissions to specific folder .

@Echo off
REM Provide Full security permissions to domain users to 3D and Client Folder

If exist "C:\Program Files (x86)\matrix"  (GOTO 64BIT) ELSE (GOTO 32BIT)
:32BIT
icacls "c:\Program Files\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:64BIT
icacls "c:\Program Files (x86)\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files (x86)\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:END

Where eskonr: domain ,Domain users:AD security group

Note: You can also do this job using Configuration Item  but l like this way.

So ,Now I can take this script and deploy Using Configuration manager with application deployment or using Package (Legacy method ).

Using legacy method,it is easy ,straight forward  but if I want to deploy this using application ,I need to create detection rule before this script runs.

Note: If you set something (that never detects) in the detection rule ,detection rule always say ,it is unknown and script will run (even though the folder has required permissions set) which will not harm to already granted permissions.

For the application/security rights detection,I need to create custom script or something since the default available detection rules (using file,registry and MSI) do not work in this case.

Below is the PowerShell script to detect the if the security permissions already set or not.

imagePowershell script to Detect the Security permissions:

If (Test-Path -path "c:\Program Files\matrix")
{
$file="c:\Program Files\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}
if (Test-Path -path "c:\Program Files (x86)\matrix")
{
$file="c:\Program Files (x86)\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}

You can shortened the above PowerShell script if you are good at it.

Leave a Reply