MAKEMSI quickly and reliably creates MSI files in a non-programmatic way
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
[Bottom][Contents][Prev]: AutoRun SETUP.EXE from CD-ROM[Next]: FIREWALL.MMH - Adding and Removing Windows Firewall Exceptions
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
\->User Contributions->CACLS.EXE - How to use Well Known SID

CACLS.EXE - How to use Well Known SID

This information and/or code in this section was provided by gerbb400 (thank you).

He wanted to use "cacls.exe" as it is already available on the operating system his msi supports. The problem is that a group like "Users" is a localised name and therefore varies between languages (its "Benutzer" in German). No matter what its called it's "well known SID" is always the same (in this case "S-1-5-32-545").

This example shows how to use WMI to determine the localized name from a well known SID and pass this to "cacls.exe":

;--- Setting security on test.txt -------------------------------------------
; This is allowing the group Users (Benutzer in german Windows) to change
; the file in [INSTALLDIR].
; The correct group names is discovered with the well known sid for Users.

;--- Handy commands you may wish to use -------------------------------------
#define  CACLS   <$RunCmd  {$?} ALIAS="CACLS" Command="CACLS.EXE" @="N">    ;;"CACLS.EXE" installed with WIN2000 & WINXP (at least on PRO) & Vista
#define  /CACLS  <$/RunCmd {$?} ALIAS="/CACLS">

;--- Update ACL on "test.txt" -----------------------------------------------
#data '@@INSTALLDIR' 2
    ;--- Install time name and location of SETACL tool ----------------------
    "INSTALLDIR" "[INSTALLDIR]"
    "LOCUSERSGROUP" "[LOCUSERSGROUP]"
#data
<$CACLS CONDITION=^<$CONDITION_INSTALL_ONLY>^ DATA="@@INSTALLDIR">
    ;--- Name of file we wish to modify ACL on ------------------------------
    "(*INSTALLDIR*)test"

    ;--- Edit ACL instead of replacing it -----------------------------------
    /E

    ;--- Deny administrators access -----------------------------------------
    /G (*LOCUSERSGROUP*):C
<$/CACLS>


;--- VBSCRIPT to set localized Users group name ------------------------------
<$Property "LOCUSERSGROUP" VALUE="Users">
<$VbsCa Binary="GetLocalizedUsersGroupBin.vbs">
#( '<?NewLine>'
   <$VbsCaEntry "GetLocalizedUsersGroup">
        dim objWMIService, colAccounts, objAccount
        Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Set colAccounts = objWMIService.ExecQuery("Select * From Win32_Group Where SID = 'S-1-5-32-545'")
        For Each objAccount in colAccounts
            session.property("LOCUSERSGROUP") = objAccount.Name
        Next
   <$/VbsCaEntry>
#)
<$/VbsCa>

;--- Call the above script during install and uninstall ---------------------
<$VbsCaSetup Binary="GetLocalizedUsersGroupBin.vbs" Entry="GetLocalizedUsersGroup" Seq="InstallValidate-" CONDITION=^<$CONDITION_INSTALL_ONLY>^ Deferred=N Description=" ">

Note that you would have two main alternatives as to how errors should be handled:

  1. Report the failure as in the above code (although it doesn't treat not finding the SID as an error).

    In the above code it is relying on MAKEMSI to create an error message from what VBSCRIPT tells (or doesn't tell) it when an exception occurs.

    I would normally check for errors in each step (line) and report the error with a suitable message but append what VBSCRIPT tells me... I would use CaDebug() to document each step. This gives you the fastest diagnosis and fix if a user reports a problem.

  2. Ignore errors them and try to continue. In this case you would set the "LOCUSERSGROUP" to a suitable default (as done above for a different reason). If it is not correct it will fail later performing the "cacls.exe" step.


Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.Please email me any feedback, additional information or corrections.
See this page online (look for updates)

[Top][Contents][Prev]: AutoRun SETUP.EXE from CD-ROM[Next]: FIREWALL.MMH - Adding and Removing Windows Firewall Exceptions


MAKEMSI© is (C)opyright Dennis Bareis 2003-2008 (All rights reserved).
Sunday February 28 2016 at 3:45pm
Visit MAKEMSI's Home Page
Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.