I've been fiddling with my XP/Home system to see if i can do some/all of
the security hacks with it that I have done on my to XP/Pro systems.
I've been using the CACLS command and it seems to do OK [and is a LOT
less hassle than booting to SAFE mode].
I tried playing with "dropmyrights" and it didn't do much: a tiny bit of
investigation revealed that my laptop was set up with c: having an ACL of
"Everybody:F" and so even with dropped rights I could mess with C:\. Not
good. So I did what I thought would be simple: cacls of everything on
c:\ to "Everybody:R". BAD idea.
Problem is that I have too many old Unix reflexes [and Unix has a truly
*AWFUL* protection/security] and so Administrators are actually subject
to the same ACL rules as mere mortals [who'd'a'thunk it! - on Unix,
administrators [=root] have no such restrictions]. So what I discovered
is that I could hardly do anything even from my admin account [indeed,
even from my administrator account in SAFE mode]!!
And it was hard to fix: with everybody:R set, the ONLY account that can
change ACLs for an object is the *OWNER* of the object. So I needed to
go through all of c: and change what I could [as admin/administrator/both
of the two user accts -- amusingly, with Everybody:R even admin can't
mess with files on my limited account!]. Some of the files were owned by
a strange internal-system owner [something with {}'s] -- I think that was
stuff that Compaq pre-loaded onto the system. For those, I had to, one
by one, change the owner to administrator and THEN I could put the
protections back.
So the conclusion of this odd morality tale is that before I try this
again, I need to remember to do a cacls /P Administrators:F *before* I
once-again change the everybody entry to R. SIGH!!!
This little escapade has raised a questions:
1) how can I create a new group in XP/Home. It won't allow the mmc
snapin for local group management... is there some command-line thing I
can do to create a new group?
2) How can I undo the 'inherit from your parent'. Someone mentioned that
it was on the 'advanced' tab in the permissions. I'd be happy to do it
via cacls, but I don't really understand how the CI/OI/IO setting work.
THANKS!!
/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
mailto:[EMAIL PROTECTED] Pearisburg, VA
--> Too many people, too few sheep <--
--
----------------------------------------
WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html
Contact the List Owner about anything: [EMAIL PROTECTED]
Official Win-Home List Members Profiles Page
http://www.besteffort.com/winhome/Profiles.html
