UEM is running under normal user permissions, so if your user isn't a local admin this will not work. What happens if you use privilege elevation in UEM, to elevate the user rights for icacls and run the command again ?
If you want to modify the permissions, you need to do so in the gold image or in group policy. Using Group Policy under Computer Settings -> Polices -> Security Settings -> File System.
A runas in a logon script requires the admin password which in a script would be a security risk.
I tried to do so in golden image, but since Horizon deploy new clients and ad them to the domain, the local changes in golden will not follow when i give USERS full rights on a folder.
A few notes on this proposed workaround:
No, that's not what privilege elevation does. Executables launched from that %ProgramFiles(x86)%\Avid folder will run elevated, but this configuration does not at all affect the permissions on that folder (or items inside that folder).
Digging up an old thread, but, we're trying to do something very similar. DEM 2103, using cacls to modifying a folder's permissions:
By using Privilege Elevation feature of DEM, you can elevate the task. Means, you allow user to run that task with elevated privilege.
If you want users to run C:\Windows\system32\cacls.exe in elevated privilege, you can use this feature. Is this what you plan to do?
Privilege elevation feature does not modify folder permissions but allow users to run tasks with elevated privilege.
So we have a need to modify this folder on our VDI desktops:
So that all users have Full Access. Or at the very least Write/Modify. We have attempted to create a privilege elevation for this argument:
We then created a startup .bat file shortcut that runs the command:
I was going to comment on the lack of quotes around the path, but you fixed that already 🙂
Remaining question: you reference the executable in the SysWOW64 folder in your config file, but launch it from the "normal" system32 folder. Can you try configuring it with the system32 path?
So I created this elevation fresh this morning:
I then dropped this shortcut onto a desktop where I applied the above PE:
I gave the login a good amount of time to finish before running the shortcut, just because I think I read that PE executes LAST, so, I did that. I still get access denied however.
I created the following privilege elevation setting:
I then created an Immidio\foobar sub folder that my test user has no modify permissions to.
The first command shows my test user has no permissions; the second one that it does not have permissions to change the permissions either.
Running with the exact same executable name and arguments as configured in the argument-based elevation config works: no "Access is denied" error when running cacls, and the test user can subsequently write to the folder.
Based on your screenshots I'd say you're doing pretty much the same... If you open a command prompt and copy-paste the executable name and arguments from your DEM setting, does that work? Does privilege elevation work at all for you? For instance, if you configure regedit.exe for path-based elevation, does it correctly elevate?
I don't know wjhat I'm doing wrong. I even removed a possible lockdown policy so that I had no restrictions. I'm also a local admin on the VM. Yet when I run cacls.exe, I get Access Denied.
This is after creating a DEM PE policy:
If I right click and run the .bat as administrator, runs fine. I'm lost. Almost like we're blocking cacls.exe as a file itself but I have no idea where that would be.
For argument-based privilege elevation to kick in, you would have to launch cacls.exe with the fully-qualified C:\Windows\System32\cacls.exe path, but I think you were doing that from your batch file, right?
Does privilege elevation work for you at all? Can you try the regedit experiment from my previous response?