lansti
Enthusiast
Enthusiast

Chancge folder permissions with UEM

I need to let users have modify permissions on a folder within %programfiles(x86), is it possible to do so with UEM?

I tried a icalcs command as a logontask: Icacls "C:\Program Files (x86)\Folder" /grant "Users":(OI)(CI)F with no luck

Tags (2)
0 Kudos
22 Replies
Raymond_W
VMware Employee
VMware Employee

UEM is running under normal user permissions, so if  your user isn't a local admin this will not work. What happens if you use privilege elevation in UEM, to elevate the user rights for icacls and run the command again ?

Kind regards, Raymond Twitter: @raymond_himself
0 Kudos
lansti
Enthusiast
Enthusiast

thanks, but how will the command line look like then?

runas /USER:Administrator ..?

0 Kudos
techguy129
Expert
Expert

If you want to modify the permissions, you need to do so in the gold image or in group policy. Using Group Policy under Computer Settings -> Polices -> Security Settings -> File System.

A runas in a logon script requires the admin password which in a script would be a security risk.

0 Kudos
lansti
Enthusiast
Enthusiast

I tried to do so in golden image, but since Horizon deploy new clients and ad them to the domain, the local changes in golden will not follow when i give USERS full rights on a folder.

0 Kudos
Raymond_W
VMware Employee
VMware Employee

No with the feature "Privilege Elevation"

icacls elevate.png

Kind regards, Raymond Twitter: @raymond_himself
0 Kudos
lansti
Enthusiast
Enthusiast

hmm.. i cant find it in my UEM, what version do you run?

I'm running 9.1.0.175

0 Kudos
Raymond_W
VMware Employee
VMware Employee

Privilege Elevation has been introduced in UEM version 9.2

VMware User Environment Manager 9.2 Technical Deep Dive | VMware End-User Computing Blog  

Kind regards, Raymond Twitter: @raymond_himself
0 Kudos
DEMdev
VMware Employee
VMware Employee

A few notes on this proposed workaround:

  • Privilege elevation isn't activated until the end of the logon process, so you won't be able to leverage this for a UEM logon task.
    You can, however, have UEM create a shortcut in the Startup folder (or a value under Explorer's RunOnce key) and launch your elevated executable that way.
  • With the current version of the product you configure executables for elevation, based on their location, hash, or publisher. You probably don't want to elevate every launch of icacls.exe, so you would have to create some unique wrapper executable that invokes icacls.exe with the arguments you need.
    We are aware of this functional limitation, and are thinking of ways to address this in a future product version,
0 Kudos
lansti
Enthusiast
Enthusiast

Hi, so by doing this:

pastedImage_0.png

users should now have write permissions to avid folder and subfolders?

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi lansti,

No, that's not what privilege elevation does. Executables launched from that %ProgramFiles(x86)%\Avid folder will run elevated, but this configuration does not at all affect the permissions on that folder (or items inside that folder).

0 Kudos
epa80
Hot Shot
Hot Shot

Digging up an old thread, but, we're trying to do something very similar. DEM 2103, using cacls to modifying a folder's permissions:

C:\Windows\system32\cacls.exe C:\Program Files\TigerText /t /e /g Users:c
 
I still get access denied when the .bat calling this command runs. Any ideas?
 
epa80_1-1626895285467.png

 

 

 

0 Kudos
anil_agarwal
VMware Employee
VMware Employee

By using Privilege Elevation feature of DEM, you can elevate the task. Means, you allow user to run that task with elevated privilege. 

If you want users to run C:\Windows\system32\cacls.exe in elevated privilege, you can use this feature. Is this what you plan to do? 

 

Privilege elevation feature does not modify folder permissions but allow users to run tasks with elevated privilege.

0 Kudos
epa80
Hot Shot
Hot Shot

So we have a need to modify this folder on our VDI desktops:

C:\Program Files(x86)\TigerText

So that all users have Full Access. Or at the very least Write/Modify. We have attempted to create a privilege elevation for this argument:

epa80_0-1626955414948.jpeg

 

We then created a startup .bat file shortcut that runs the command:

"C:\Windows\system32\cacls.exe" "C:\Program Files (x86)\TigerText" /t /e /g Users:c
 
But still it doesn't seem to work. When I run the shortcut manually on the desktop, I get access denied.
0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @epa80,

I was going to comment on the lack of quotes around the path, but you fixed that already 🙂

Remaining question: you reference the executable in the SysWOW64 folder in your config file, but launch it from the "normal" system32 folder. Can you try configuring it with the system32 path?

0 Kudos
epa80
Hot Shot
Hot Shot

So I created this elevation fresh this morning:

epa80_0-1626958845688.png

 

I then dropped this shortcut onto a desktop where I applied the above PE:

epa80_2-1626958979400.png

I gave the login a good amount of time to finish before running the shortcut, just because I think I read that PE executes LAST, so, I did that. I still get access denied however.

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @epa80,

I created the following privilege elevation setting:

DEMdev_0-1626971527285.png

I then created an Immidio\foobar sub folder that my test user has no modify permissions to.

DEMdev_1-1626971609658.png

The first command shows my test user has no permissions; the second one that it does not have permissions to change the permissions either.

Running with the exact same executable name and arguments as configured in the argument-based elevation config works: no "Access is denied" error when running cacls, and the test user can subsequently write to the folder.

Based on your screenshots I'd say you're doing pretty much the same... If you open a command prompt and copy-paste the executable name and arguments from your DEM setting, does that work? Does privilege elevation work at all for you? For instance, if you configure regedit.exe for path-based elevation, does it correctly elevate? 

0 Kudos
epa80
Hot Shot
Hot Shot

I don't know wjhat I'm doing wrong. I even removed a possible lockdown policy so that I had no restrictions. I'm also a local admin on the VM. Yet when I run cacls.exe, I get Access Denied.

 

epa80_0-1626976441501.png

 

This is after creating a DEM PE policy:

epa80_1-1626976476049.png

 

If I right click and run the .bat as administrator, runs fine. I'm lost. Almost like we're blocking cacls.exe as a file itself but I have no idea where that would be.

0 Kudos
epa80
Hot Shot
Hot Shot

I also had a different user altogether login and we got the same results. Another local admin as well.

0 Kudos
DEMdev
VMware Employee
VMware Employee

For argument-based privilege elevation to kick in, you would have to launch cacls.exe with the fully-qualified C:\Windows\System32\cacls.exe path, but I think you were doing that from your batch file, right?

Does privilege elevation work for you at all? Can you try the regedit experiment from my previous response?

0 Kudos