|
|
|
![[Bottom]](bottom.gif){kind=small}
![[Contents]](nav_contents.jpg){kind=small}
![[Prev]: AutoRun SETUP.EXE from CD-ROM](prev.gif){kind=small}
![[Next]: FIREWALL.MMH - Adding and Removing Windows Firewall Exceptions](next.gif){kind=small}
User ContributionsCACLS.EXE - How to use Well Known SID|
|
|
|
User ContributionsCACLS.EXE - How to use Well Known SID| CACLS.EXE - How to use Well Known SID |
This information and/or code in this section was provided by gerbb400 (thank you).
He wanted to use "cacls.exe" as it is already available on the operating system his msi supports. The problem is that a group like "Users" is a localised name and therefore varies between languages (its "Benutzer" in German). No matter what its called it's "well known SID" is always the same (in this case "S-1-5-32-545").
This example shows how to use WMI to determine the localized name from a well known SID and pass this to "cacls.exe":
;--- Setting security on test.txt -------------------------------------------
; This is allowing the group Users (Benutzer in german Windows) to change
; the file in [INSTALLDIR].
; The correct group names is discovered with the well known sid for Users.
;--- Handy commands you may wish to use -------------------------------------
#define CACLS <$RunCmd {$?} ALIAS="CACLS" Command="CACLS.EXE" @="N"> ;;"CACLS.EXE" installed with WIN2000 & WINXP (at least on PRO) & Vista
#define /CACLS <$/RunCmd {$?} ALIAS="/CACLS">
;--- Update ACL on "test.txt" -----------------------------------------------
#data '@@INSTALLDIR' 2
;--- Install time name and location of SETACL tool ----------------------
"INSTALLDIR" "[INSTALLDIR]"
"LOCUSERSGROUP" "[LOCUSERSGROUP]"
#data
<$CACLS CONDITION=^<$CONDITION_INSTALL_ONLY>^ DATA="@@INSTALLDIR">
;--- Name of file we wish to modify ACL on ------------------------------
"(*INSTALLDIR*)test"
;--- Edit ACL instead of replacing it -----------------------------------
/E
;--- Deny administrators access -----------------------------------------
/G (*LOCUSERSGROUP*):C
<$/CACLS>
;--- VBSCRIPT to set localized Users group name ------------------------------
<$Property "LOCUSERSGROUP" VALUE="Users">
<$VbsCa Binary="GetLocalizedUsersGroupBin.vbs">
#( '<?NewLine>'
<$VbsCaEntry "GetLocalizedUsersGroup">
dim objWMIService, colAccounts, objAccount
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colAccounts = objWMIService.ExecQuery("Select * From Win32_Group Where SID = 'S-1-5-32-545'")
For Each objAccount in colAccounts
session.property("LOCUSERSGROUP") = objAccount.Name
Next
<$/VbsCaEntry>
#)
<$/VbsCa>
;--- Call the above script during install and uninstall ---------------------
<$VbsCaSetup Binary="GetLocalizedUsersGroupBin.vbs" Entry="GetLocalizedUsersGroup" Seq="InstallValidate-" CONDITION=^<$CONDITION_INSTALL_ONLY>^ Deferred=N Description=" ">
Note that you would have two main alternatives as to how errors should be handled:
In the above code it is relying on MAKEMSI to create an error message from what VBSCRIPT tells (or doesn't tell) it when an exception occurs.
I would normally check for errors in each step (line) and report the error with a suitable message but append what VBSCRIPT tells me... I would use CaDebug() to document each step. This gives you the fastest diagnosis and fix if a user reports a problem.
  |
 MAKEMSI© is (C)opyright Dennis Bareis 2003-2008 (All rights reserved). Saturday May 28 2022 at 3:11pm Visit MAKEMSI's Home Page | |
![[Top]](top.gif){kind=small}