Hi;
I have an installation that prepares a ProgramData folder for the application to store common data. We are converting our system to run in a non admin mode and will need to make sure the ProgramData folder is prepared/adjusted to allow all access to a non admin user. We have found the permission options within the edit folder location. We have adjusted so that the base ProgramData folder is adjusted to allow all data to be accessible at this level and below. We though have scenarios where the program data folder has been prepared on previous installs and files exist already within the ProgramData folder that are not accessible to a non admin user. When we run after the ProgramData folder access level option have been changed - the already existing files are still left with limited access and cannot access from the non admin user run.
What we would like to know is - is there a way to prepare the ProgramData folder options and apply to already existing files as well?
Peter
Suggested Articles
Re: Program Data Security
Hello Peter,
From what I understand here, by preparing you mean giving rights for pretty much all users to access and modify the folder that is supposed to store common data, folder which is stored in the ProgramData folder (please correct me if I'm wrong).
I have further investigated this and it seems that we do not have predefined support for this.
However, this can be achieved through a custom action. For instance, you can create a PowerShell script, VBScript, etc. that can change the permission on a folder.
Below you can find a script (PowerShell) which you can use for your needs:
Basically, what you want to achieve can be found in the following line:
As I have explained in the code, the access control entry will be inherited by both container objects (folders) and leaf objects (files).
You can add this custom action as a "PowerShellScriptInline".
As you may already expect, modifying privileges require admin rights, so elevated rights should be provided for the package.
As this custom action modifies the system, its execution time should be "When the system is being modified (deferred)"
Hope this helps.
All the best,
Catalin
From what I understand here, by preparing you mean giving rights for pretty much all users to access and modify the folder that is supposed to store common data, folder which is stored in the ProgramData folder (please correct me if I'm wrong).
I have further investigated this and it seems that we do not have predefined support for this.
However, this can be achieved through a custom action. For instance, you can create a PowerShell script, VBScript, etc. that can change the permission on a folder.
Below you can find a script (PowerShell) which you can use for your needs:
Code: Select all
# An access control list (ACL) is a list of access control entries (ACE).
$acl = Get-Acl "C:\Users\Catalin\Desktop\MyFolder"
$users = [System.Security.Principal.NTAccount]"Builtin\Users"
$access = [System.Security.AccessControl.FileSystemRights]"FullControl"
# the ACE (access control entry) will be inherited by both container objects and leaf objects (aka both folders and files)
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($users, $access,$inheritance, $propagation, $type)
$acl.AddAccessRule($rule)
$acl |Set-AclCode: Select all
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"You can add this custom action as a "PowerShellScriptInline".
As you may already expect, modifying privileges require admin rights, so elevated rights should be provided for the package.
As this custom action modifies the system, its execution time should be "When the system is being modified (deferred)"
Hope this helps.
All the best,
Catalin