Mouse freezes on VDI machines: A surprising solution - Part 2

Bild des Benutzers Clemens Geiler

Second Part of the story, which actually is about managing ACLs using PowerShell rather than fixing the issues in regards to wisptis.exe. It turns out to be a bit more of an effort but worth mentioning anyway.

A colleague of mine (thanks to Marius Gawenda) has been working on managing ACLs without using SetACL.exe for some time and figured out a solution for the scenario when an administrator wants to gain ownership of a file that is owned by Trusted Installer. There is some Inline Code required in order to set privileges for the operation within the script. The code comes from here:

https://gallery.technet.microsoft.com/Adjusting-Token-Privileges-9b6724fc

http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

Three privileges are required. They can be set using the function which is defined in the above mentioned Script.

SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege 

Next step is to create an empty ACL Object, which later can be merged with the one of the file we want to configure.

$NewOwnerACL = New-Object System.Security.AccessControl.FileSecurity
$NewOwner = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$NewOwnerACL.SetOwner($NewOwner) 

Now the owner can be set using

(Get-Item $Env:Windir\System32\wisptis.exe).SetAccessControl($NewOwnerACL) <span style="font-size: 14px; line-height: 21px; white-space: normal;">
</span>

Once this is done, file permissions can be changed.

$UserPermission = "BUILTIN\Users","ReadAndExecute","Deny"
$AdminPermission = "BUILTIN\Administrators","ReadAndExecute","Deny"
 
$UserAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $UserPermission
$AdminAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminPermission
 
$objfile = get-acl (Join-Path $(Join-Path $env:windir system32) wisptis.exe)
$objfile.SetAccessRule($UserAccessRule)
set-acl -AclObject $objfile -Path $objfile.path

$objfile.SetAccessRule($AdminAccessRule)
set-acl -AclObject $objfile -Path $objfile.path

Now give it back to Trusted Installer:

$objTrustedInstaller = new-object System.Security.Principal.NTAccount("NT SERVICE","TrustedInstaller")
$objfile.SetOwner($objTrustedInstaller)
set-acl -AclObject $objfile -Path $objfile.path -ea SilentlyContinue 

Neuen Kommentar schreiben
Durch Absenden dieses Formulars akzeptieren Sie die Mollom Privatsphärenrichtlinie.