I am working with a proprietary build of Windows 7 Enterprise issued to us to deploy in our network environment. I am still trying to contact the build team, but also hoping to get some information here in the meantime.
In the NTFS file permissions of %SystemVolume%, the Users group have the Delete permission. This looks like it enables users who otherwise should be restricted to delete critical system files. With a test user account (non-administrator), I was able to unhide hidden files and folders, then proceeded to navigate to %Sysvol%\Windows\System32 and delete the folder GroupPolicyUsers. I should absolutely not be able to do that as a non-administrative user.
On a test machine with this OS build in reference, I set the permissions as follows:
Administrators - Full
SYSTEM - Full
CREATOR OWNER - Full (subfolders and files)
Users - Read/Write/Create/Append
I looked at a copy of XP SP3 we still have on the network and Users did not have the Delete permission assigned to them, only when it is inherited as Creator Owner. Is this a sensible resolution for the user ability to delete system files?
Any advice on this issue appreciated.
This type issue occurred can be caused by the following reasons:
1. Folder and file access permission has been edited before using Sysprep.
2. User account permissions have been set on Domain Controller site.
You’d better to double check the configurations of System Image.
TechNet Community Support
- 回答としてマーク Highspeedlane 2012年5月2日 21:55
Thanks for the helpful info. This is going to have to be resolved by the image builder who I will contact. Thanks again.