Icacls: Granting WO access to folder

gjacobse

To 'address' a recent issue that I have learned about (known by IT staff who have been here 2-5 years) I am curious how to address the application needing write access to a %ProgramData% folder.

It was a two point resolution; meaning that drives needed to be mapped and the user needed write access to the folder in question.

Mapping a drive is a simple thing,.. quick script using NET USE will address that (which is how I mapped them; net use drive: "\\server\share\path".

But could I not also address the folder permissions via the same script? It would appear from a 3min GOOGLE that yes, just use icacls.

The thought process I have would be to run the script as user and admin; user (mapping drive); admin (to set permissions).

Of course- the other way would be to create a GPO Security group and push it to apply to that folder and use auth\DomainUsers over assigning a single user, as - it's always possible someone else could use the computers.

ETA: Corrected location.

EddieJennings

Before I can respond to the rest, do you mean %PROGRAMFILES(X86)% or %PROGRAMDATA%?

gjacobse

@eddiejennings
Corrected OP

EddieJennings

I don't know the default permissions for this folder off the top of my head, but I'm pretty sure applications either write to this folder or read config files and such from it, so I'm a little surprised you have an application that requires any tinkering with these permissions.

As far as the title of your post is concerned, yes, icacls is a tool you can use. But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network, and users running said application on their workstation can write to this shared folder from within the application?

gjacobse

@eddiejennings
Just need to add the user to the folder with write permissions.

gjacobse

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

IRJ

@gjacobse said in Icacls: Granting WO access to folder:

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

Please tell me this is a joke.

IRJ

If I'm understanding correctly, this is a huge security risk.

Are you considering giving everyone full write access to %PROGRAMDATA%?

IRJ

I guess if you just give it to the liberty data folder it's not as bad. It's amazing how shitty software can be though. It sucks that %PROGRAMDATA% folder has been around since Windows 7 and this vendor still can't figure out how to leverage it properly.

gjacobse

@irj said in Icacls: Granting WO access to folder:

@gjacobse said in Icacls: Granting WO access to folder:

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

Please tell me this is a joke.

Uh - Me thinks that my explanation is missing its mark still -

User needs write access to %programdata%\liberty software.

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

Does this clarify things?

Dashrender

@gjacobse ug - so it uses Access style DB's... it's not making API calls, it's SMBing to the DB file itself.

EddieJennings

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

Dashrender

@eddiejennings said in Icacls: Granting WO access to folder:

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

Where did RDP come into this?

gjacobse

@eddiejennings said in Icacls: Granting WO access to folder:

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

No RDP in this case. Locally installed application.
Yes - agree that a GPO using a security group would be better -