ChangeNTFSSecurity

Change NTFS Permissions on NTFS Partitions

Definition

Change NTFS Permissions on NTFS Partition.
Use this command to change the access permissions at directory and file level in NTFS partitions for local drives and shared network directories.

The command works language independent.
In case an error occurs when running this command, you can specify the option Stop script on error in the Script Editor. If the error actually occurs, the script stops, thus preventing subsequent errors, and the associated policy is shown as not compliant.
This also applies if you set the package property Error handling to Always terminate script on error (a default setting for new packages).

Settings

Input

Directory
Specify the name of the directory you want to change the access permissions

Options

Change directory attributes
Changes the access permissions at directory level. The changes have no effect on the access permissions of existing files.

Include subdirectories
Changes the access permissions of all subdirectories.

Don't change inherited container ACE
Leaves the permissions for all newly created files (file inherit ACE) of the selected directory as is, regardless of the new directory permissions (container ACE).

Set file attributes
Changes the access permissions at file level.
In the Files text box you can enter the required file specifications.

Enter a blank, a semi-colon, a dot or inverted commas to separate multiple file name specifications. Please also note the following:
If the file name contains blanks or dots already each file name should be entered in inverted commas to guarantee exact identification.
If you want to specify individual permissions for files and directories separately, specify each permission using an individual command.

Disable file direction on x64 machines
For reasons of compatibilty, Ivanti DSM maps file and registry access to the default storage location for 32 bit applications (provided that the storage location differs from that of 64-bit applications). File access: whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64. Registry commands: when accessing HKEY_LOCAL_MACHINE\SOFTWARE the calls are redirected to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node. The x64-switch stops this redirection of file and registry accesses when running the script command on a x64 computer; the eScript command runs on the specified path. CallScript command: the script runs in a 64-bit process.

Mode
With the Mode options you can add entries from the user and group list to the access permissions or remove or replace them.
The following options are available:

Add, replace inherited access permissions
Use this option to add the entries from the user and group list to the existing access permissions.
If a user or a group already has an inherited access permission, the system changes it to a local access permission. All of the other inherited access permissions are changed accordingly to local access permissions.
Add, keep inherited access permissions
With this option you can add the entries from the user and group list to the local access permissions and/or change them.
Inherited access permissions that already exist for a user or a group remain without being changed.
Remove
The permissions that exist for entries on the user or group list are removed from the existing access permissions.
If a user or a group already has an inherited access permission, the system changes it to a local access permission. All of the other inherited access permissions are changed accordingly to local access permissions.
Replace all
The entries from the user and group list replace the existing access permissions completely.

User and Group List

Enter the users or groups in this list you want to add to, remove from or replace in the access permissions.
Edit the list using the Add... and Remove buttons.

You can change the individual permissions of users or groups directly by clicking Type of access: or, more detailed, by double-clicking them in a separate dialog window.