This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I need to restore some NTFS permissions to the C:\Windows folder on our Windows 10 machines. "ALL APPLICATION PACKAGES" and the "TrustedInstaller" are missing from just the C:\Windows folder. The sub-folders are all ok. (Some old GPO was identified that created the issue).
I have a batch file that calls a txt file...
And from within the txt file it is restoring the NTFS permissions (ALL APPLICATION PACKAGES and TrustedInstaller) to C:\Windows...
I am trying to run the batch file as a Logon Script using Group Policy but it is not working. Looking for a way to successfully push this out companywide.
When I manually run the batch file with an elevated command prompt from a problem machine it works.
Just wondering if anyone had any thoughts or suggestions on how to go about applying this.
Thank you!
Change the bat file to capture stdout and stderr to see what the command is doing.
icacls C:\ /restore C-Windows_Permissions.txt 1>C:\Windows\Temp\Perms.log 2>&1
When I manually run the batch file with an elevated command prompt from a problem machine it works.
So the obvious conclusion would be is that the command is not elevated when it runs.
Thank you MotoX80, seems that running it via Group Policy as a batch file is not working. Even though it is running under Computer Configuration maybe it still does not have enough rights or permissions to C:\Windows? Running it manually I get "Access is denied" even running it with the Domain Admin account. Disabled the AV software as well on a test machine.
Just for kicks I am going to manually run it in Safe Mode to see if anything changes.
Hello SteveChambers,
First I would recommend to test the script locally in some test computers to see if there is any error coming up or runs smooth.
Have you verified that the Script and txt file are allocated in the Sysvol folder > Domain.name> Policies > Policy GUID > Machine > Scripts > Startup
If everything is ok with the GPO, the same script and file is copied to the local folder %systemroot%\System32\GroupPolicy\Machine\Scripts\Startup but you need to ensure that script call the TXT file in the SYSVOL share (only the scripts are copied, not the files they are used).
--If the reply is helpful, please Upvote and Accept as answer--
Hello LimitlessTechnology-2700! Thank you for the recommendation. All is good there :)
On two machines if I manually run the batch file in Safe Mode it runs successfully. Running in normal mode or with non-Microsoft Services disabled I get access is denied. Running it as a logon script under Computers also did not work (Did verify that the machines are picking up the policy).
Not sure if running it in Safe Mode can be automated or not. Currently researching my options.
What about creating a scheduled task that runs as the SYSTEM account?
Worth trying! Thank you!
There's also psexec. Run it with the -s switch.
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec