Close Menu
    Facebook X (Twitter) Instagram
    Sunday, May 18
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»CM2012»SCCM 2012 Deployment How to change security permissions to specific folder using icacls with Application Detection rules

    SCCM 2012 Deployment How to change security permissions to specific folder using icacls with Application Detection rules

    Eswar KonetiBy Eswar KonetiJanuary 26, 4:15 pm3 Mins Read CM2012 9,942 Views
    Share
    Facebook Twitter LinkedIn Reddit

     

    Problem Description:

    Users (AD Security Group called: eskonr\domain Users) from specific project in the organization do not have admin privileges on their computers (don’t ask why)  .I have an application (Matrix ) which is installed using Configuration manager 2012 and users are using this application for their daily routine activities without any issues so far(without admin rights).

    Recently ,due to some project requirement,they need to have full permissions to specific folders (C: \program files\matrix\3D or what ever) to modify some files and settings to get the application working  .

    To grant full permissions or required permissions to specific folders for domain users or project users , You can use inbuilt windows command line Icacls.exe (Displays or modifies discretionary access control lists) .

    I use this command line (icacls) to set permissions to specific folder ,but I need to check if OS architecture is X86 or X64 ,because the installation directory for this application varies.

    To more about about the available syntax for Icacls.exe ,try Icacls.exe /? from cmd.exe

    Below is the batch script that check if Architecture is 32 or 64 and then grant the required permissions to specific folder .

    @Echo off
    REM Provide Full security permissions to domain users to 3D and Client Folder

    If exist "C:\Program Files (x86)\matrix"  (GOTO 64BIT) ELSE (GOTO 32BIT)
    :32BIT
    icacls "c:\Program Files\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
    icacls "c:\Program Files\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
    GOTO END   

    :64BIT
    icacls "c:\Program Files (x86)\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
    icacls "c:\Program Files (x86)\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
    GOTO END   

    :END

    Where eskonr: domain ,Domain users:AD security group

    Note: You can also do this job using Configuration Item  but l like this way.

    So ,Now I can take this script and deploy Using Configuration manager with application deployment or using Package (Legacy method ).

    Using legacy method,it is easy ,straight forward  but if I want to deploy this using application ,I need to create detection rule before this script runs.

    Note: If you set something (that never detects) in the detection rule ,detection rule always say ,it is unknown and script will run (even though the folder has required permissions set) which will not harm to already granted permissions.

    For the application/security rights detection,I need to create custom script or something since the default available detection rules (using file,registry and MSI) do not work in this case.

    Below is the PowerShell script to detect the if the security permissions already set or not.

    imagePowershell script to Detect the Security permissions:

    If (Test-Path -path "c:\Program Files\matrix")
    {
    $file="c:\Program Files\matrix\3D"
    $user="eskonr\Domain Users"

    if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
    {
    write-host "Permissions set"
    }
    }
    if (Test-Path -path "c:\Program Files (x86)\matrix")
    {
    $file="c:\Program Files (x86)\matrix\3D"
    $user="eskonr\Domain Users"

    if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
    {
    write-host "Permissions set"
    }
    }

    You can shortened the above PowerShell script if you are good at it.

    CM12 configuration Manager detection rule detection rules Permissions Powershell SCCM SCCM 2012 script security permissions change
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    Investigating Co-Management Issues with Windows Endpoints in SCCM/Intune

    October 26, 10:45 pm

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.