six demon bag

Wind, fire, all that kind of thing!

2016-01-04

Cannot delete my own scheduled task

Recently I noticed that I was no longer able to delete scheduled tasks on my Windows 7 test box, even though I created them myself. Deletion attempts failed with the following error:

The user account does not have permission to delete this task.

Deleting my own tasks works fine in a vanilla install of Windows 7 SP1, so the issue must have been introduced by some update along the way. I had to modify the permissions on C:\Windows\System32\Tasks to get it to work again:

icacls "C:\Windows\System32\Tasks" /grant "Authenticated Users":(RD)

Granting "list folder/read data" on the folder itself was sufficient, since the task files are owned by the user creating them and the CREATOR OWNER principal has full access to subfolders and files.

Posted 19:51 [permalink]

2014-07-11

Compare ACLs

Recently I had the need to compare the ACLs of two Active Directory objects. With file ACLs I could expand their Access properties and compare the resulting lists with Compare-Object. However, for ACLs of Active Directory objects that didn't work, so I came up with the following function.

See more ...

Posted 18:50 [permalink]

2014-03-18

Migration of SMB Shares

Share migration is a common (if not integral) part of a file server migration. If you just move the shares from one host to another host the process is pretty straightforward as described in MSKB article 125996:

  1. Export [HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares] on the old file server to a file:

    reg export HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares shares.reg
    
  2. Copy the file to the new file server and import it:

    reg import shares.reg
    
  3. Restart the Server service:

    net stop server && net start server
    
  4. Done.

See more ...

Posted 21:09 [permalink]

2008-10-13

How to Beat Windows Software into Submission

A great deal of Windows software requires to be run with administrative or at least power user privileges for no good reason. That's a Bad Thing™, because it enables any user to compromise the system. Most of this software can, however, be talked into running with a normal user's privileges. The problem is usually that the program attempts to write temporary data, configuration data and other stuff like that to places a normal user can't write to. In this article I will describe the procedure I usually apply when having to deal with reluctant software.

See more ...

Posted 11:27 [permalink]