Answer the question
In order to leave comments, you need to log in
I
I
Innokenty2022-02-15 17:22:27
Innokenty, 2022-02-15 17:22:27
How to set permissions via icacls?
To limit the user's ability to install and run "left" certificates from tokens, the write rights to the %appdata%\Microsoft\SystemCertificates\My\Certificates directory were limited, which did not allow even the inserted tokens to be used, except for what was already written to the folder.
Now it is necessary to make the same restriction, but with the help of a .bat file, through trial and error, I came up with a command like:
icacls %appdata%\Microsoft\SystemCertificates\My\Certificates /deny %username%:(OI)(CI)(W) /T /C /L /QThis command gives an error "permission denied" on attached files
C:\Users\seregina>icacls %appdata%\Microsoft\SystemCertificates\My\Certificates /deny %username%:(OI)(CI)(W) /T /L
processed file: C:\Users\seregina\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
C:\Users\seregina\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*: Permission denied.
Successfully processed 1 files; failed to process 1 files
If you look through the graphical interface, then all the rights are the same, but you can not enter the Certificates folder. And the system does not see the certificate.
Basic folder permissions:
C:\Users\seregina\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates NT AUTHORITY\СИСТЕМА:(I)(OI)(CI)(F)
BUILTIN\Администраторы:(I)(OI)(CI)(F)
CompName\seregina:(I)(OI)(CI)(F)
Обязательная метка\Средний обязательный уровень:(NW)
Успешно обработано 1 файлов; не удалось обработать 0 файловRights when using the explorer, the system sees the certificate, you can use:
C:\Users\seregina\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates CompName\seregina:(OI)(CI)(DENY)(W)
NT AUTHORITY\СИСТЕМА:(I)(OI)(CI)(F)
BUILTIN\Администраторы:(I)(OI)(CI)(F)
CompName\seregina:(I)(OI)(CI)(F)
ЦЕНТР ПАКЕТОВ ПРИЛОЖЕНИЙ\Программные или аппаратные сертификаты, смарт-карта:(I)(OI)(CI)(RX)
Обязательная метка\Средний обязательный уровень:(NW)
Успешно обработано 1 файлов; не удалось обработать 0 файловPermissions when using the icacls command, the certificate is not visible to the system:
C:\Users\seregina\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates CompName\seregina:(OI)(CI)(DENY)(W)
NT AUTHORITY\СИСТЕМА:(I)(OI)(CI)(F)
BUILTIN\Администраторы:(I)(OI)(CI)(F)
CompName\seregina:(I)(OI)(CI)(F)
Обязательная метка\Средний обязательный уровень:(NW)
Успешно обработано 1 файлов; не удалось обработать 0 файловWhere can the catch lie and why, with identical rights, the result is completely different?
APP PACKAGE CENTER \ Software or hardware certificates, smart card: (I) (OI) (CI) (RX) When using the explorer, it was not possible to call it again, perhaps this is due to the crypt accessing the folder during the next check
I will add that if, after executing the command, manually go into security and change anything, then return it back, the folder becomes available, and the system sees the certificate
1 answer(s)
@Kosyachella
I
Innokenty, 2022-02-16 @Kosyachella
I did not find a solution to the issue using cmd, I solved the problem using the powershell ban script.
$path = "$env:APPDATA\Microsoft\SystemCertificates\My\Certificates"
$user = "$env:UserName"
$Rights = "Write"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Deny"
$acl = Get-Acl $path
$perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
Similar questions
I
Irina Kirillova2016-09-13 15:40:18
How to restrict site viewing for everyone except the admin?
2Reply
L
P
G
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question