0
I need to make a security group that will grant NTFS permissions on local computers. How can I make a security group that will give Full Control to local folders (e.g. C:\Program Files\Common Files\ and %systemroot%\Temp)? Will I have to go to each computer and change the access controls for each folder?
David Lee
Posted 2016-02-04T17:52:45.807
Reputation: 1
2
No single user account or group has full access to everything. You would need to change the permissions of all files and folders to add full access for this new group. Danger! Blowing away the standard permissions is a great way to cause difficult system problems; you shouldn't do that.
If you're trying to back up and restore files, you should use an actual backup program. Programs running as administrator (or as users that have been delegated the appropriate authority) can enable SeBackupPrivilege, which is an execution mode that allows reads to succeed regardless of ACL, and SeRestorePrivilege, which allows writing anywhere. Read more about privileges at TechNet.
If there are only a couple places you want to get into that only allow access to SYSTEM, you could have admins use PsExec to launch a program as SYSTEM. For example, this creates a command prompt running as SYSTEM:
psexec -s -i cmd.exe
Ben N
Posted 2016-02-04T17:52:45.807
Reputation: 32 973
1Giving Full Control to
../Common Filesis a huge mistake. What problem are you trying to solve by doing that. There is a reason that type of permission, isn't given to users in the Administrator User Group, by default. Besides all users should already have full control over../Tempalready. – Ramhound – 2016-02-04T19:33:41.463