• General discussion

  • Hi All,

    I have the need to control some permissions on the C:\Windows folder, and am doing this via powershell. I have a list of principals that should have access. I do a GET-ACL, and test against that this for any non-compliant principals. This has worked for pretty much everything Ive thrown at it with the exception of "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES"

    #Get ACL for C:\Windows
    $ACL = Get-Acl "C:\Windows"
    #Evaluate ACL for principals that arent supposed to be there, write them to "$NonCompliantRules"
    $NonCompliantRules = $ACL.Access | Where-Object {
    $_.IdentityReference -ne "BUILTIN\Users" -and $_.IdentityReference -ne "NT AUTHORITY\SYSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" -and $_.IdentityReference -ne "CREATOR OWNER" -and $_.IdentityReference -ne "NT SERVICE\TrustedInstaller" -and $_.IdentityReference -ne "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"
    #For every Principal found that's not supposed to be there, remove the ACE
    ForEach($NonCompliantRule in $NonCompliantRules){
    $ACl.RemoveAccessRule($NonCompliantRule) | out-null
    #Finalize new ACL on the folder
    Set-ACL -Path 'C:\Windows' -AclObject $ACL

    When the script gets to the removal of the access rule for "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES", I get 

    Exception calling "RemoveAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
    At line:15 char:1
    + $ACl.RemoveAccessRule($NonCompliantRule) | out-null
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : IdentityNotMappedException

    Normal accounts work jsut fine, but there seems to be something about these that cause everything to barf.

    Any help would be greatly appreciated!


    Wednesday, December 6, 2017 9:43 PM

All replies

  • You should never alter the settings on system folders.

    You can use the secedit utility to read, report and enforce settings.  SECEDIT will show you where settings have been changed from the system required settings.

    Unless specifically instructed by Microsoft support or a KB never alter settings on System folders.


    Wednesday, December 6, 2017 10:25 PM
  • Thanks for the advice.

    So I have to enforce certain security on folders in our environment, do you have any advice guidance for using the secedit command line tool to do this? For instance any decent articles that talk about this?

    Ideally I would do Compliance baselines in SCCM and remedy when not compliant.

    Thursday, December 7, 2017 1:43 PM
  • Please use your search engine to fid articles on SECEDIT.  There are hundreds.

    This is not a SECEDIT forum.  SECEDIT is a deployment and configuration tool.

    You can post in the Windows Security forum for assistance with using system security configuration tools.


    Thursday, December 7, 2017 4:23 PM