Warm tip: This article is reproduced from serverfault.com, please click
acl permissions powershell shortcut

Powershell shortcut permissions using ACL?

发布于 2020-12-09 15:55:31

I have an MSI that is pushed through Intune and installed on users' computers. This MSI is basically a flash browser needed for a specific webapp. What i need to do is to create a custom shortcut and input a url in the target of the shortcut forcing the browser to that website (because the browser does not have a place to enter a URL).

I have no issues creating the shortcut, however i want to make sure that a user can't go in and modify the target by right-clicking the shortcut and changing the URL parameter allowing them to browse google or facebook or whatever through this browser.

this is what i currently have for the shortcut:

$Shell = New-Object -ComObject ("WScript.Shell")

$ShortCut = $Shell.CreateShortcut("C:\Users\Public\Desktop\Browser - PROD.lnk")

$ShortCut.TargetPath="C:\Program Files (x86)\Company\CompanyBrowser.exe"

$ShortCut.Arguments='-URL "https://company.url"'

$ShortCut.Save()

I popped the shortcut onto the public desktop so that standard users could not modify it, however some of these users are local admins on their machine. What i was hoping was to change the security tab in the properties of the shortcut to allow the local administrator account only access to read/execute, but not modify this shortcut.

I am playing around with ACL function , but it seems that it's all or nothing and when i run the following script, it completely blocks the shortcut from even being executed

$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemRights = "Modify"
$type = "Deny"
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
$ProdACL.SetAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL

I'm no powershell expert but i believe i am close and perhaps not using the right parameters with ACL.

any help would be MUCH appreciated.

Questioner
degett
Viewed
0
分享
CFou 2020-12-10 02:17:00

@Doug Maurer is right.

You need to remove the inheritance first by preserving rules :

$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$ProdACL.SetAccessRuleProtection($true, $true)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL

The first $True for the SetAccessRuleProtection method is blocking inheritance ($False to inherit) and the second is to copy the inherited rules ($False to clear inherited rules). The second value is ignored if the first one is set to $False.

Then, remove the rule that give Administrators the FullControl :

$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemRights = "FullControl"
$type = "Allow"
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
$ProdACL.RemoveAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL

Notice that you have to get the ACL again once you had setted it to block inheritance.

I have copied your code, but it can be simplified as this (with inheritance blocking here) :

#Block Inheritance
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$ProdACL.SetAccessRuleProtection($true, $true)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL

# Set new ACL
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemAccessRule = $ProdACL.Access | Where IdentityReference -eq $identity
$ProdACL.RemoveAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL

热门帖子

1
关于英语学习的重要性的思考
2
这里分享一个免费的在线 PDF 总结工具: NoteGPT
3
没想到 Arc 浏览器对网络要求如此严格
4
[上海] 招中级前端开发工程师
5
澳大利亚🇦🇺归来~第一次去南半球,虽然看过很多次照片,亲临大洋路时仍觉震撼
6
Apple Watch Terminal 风格表盘
7
失业三个月,面试寥寥无几,朋友失业的也很多
8
开发了一个在线批量图片压缩网站
9
路由器批量端口映射到 NAS 的问题,求教~
10
chatgpt-4o 实时语音功能入口在哪里呀

热门github

1
Implementation of paper - YOLOv9: Learning What You Want to Learn Using Programmable Gradient Information
2
A Windows and Office activator using HWID / Ohook / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections.
3
Get up and running with Llama 2, Mistral, Gemma, and other large language models.
4
该项目可以让你通过订阅的方式使用Cloudflare WARP+,自动获取流量。This project enables you to use Cloudflare WARP+ through subscription, automatically acquiring traffic.
5
Multi functional app to find duplicates, empty folders, similar images etc.
6
Xray panel supporting multi-protocol multi-user expire day & traffic & ip limit (Vmess & Vless & Trojan & ShadowSocks & Wireguard)
7
The Free Software Media System
8
lightweight, standalone C++ inference engine for Google's Gemma models.
9
📚 Freely available programming books
10
A collective list of free APIs
11
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
12
🎓 Path to a free self-taught education in Computer Science!
13
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
14
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
15
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.