Permis Sections of Permis.sxp

In the Permisn sections you set the access rights for an object. Each object is specified by the entries Type, Object, and (optional) FileMask.

Each of the Permisn sections can have the following entries:

Type

Specifies the type of the object. The value of type can be one of the following:

Object

Specifies the object including its path name. The type of the object determines the structure of the object. The types and associated structures are listed following:

File_mask

Specifies a file mask. All files corresponding to this file_mask are assigned the access rights. The file_mask can be specified only if the object type is Dir or RDir. You can specify file extensions only, such as *.doc. No path details can be specified.

AddToACL

Specifies how to deal with the current access control list (ACL).

yes

The access control elements (AAce and Dace) should be added to the object's access control list.

Any other value and default

The access control elements (AAce and Dace) should replace the object's access control list.

Aacen

Sets the access right (Allowed ACE) for the account_name specified in the line to the specified access mask.

Dacen

Denies access (Denied ACE) for the account_name specified in the line. Note that deny entries take priority over allow entries. Use them very carefully!

Account_name

Specifies the user or group name.

The account_name can be qualified by a domain prefix, such as domain\account. domain is the name of the Windows domain this system is part of or of a trusted domain.

If account_name is not qualified, it is mapped to the local account of the same name. If this local account does not exist, account_name is mapped to the domain account or any trusted domain account of the same name.

Examples:

If MyAccount is an account defined on the local system, the access control is set for this account. If MyAccount is not an account of the local system, but it is an account of MyDomain, the access control is set for MyDomain\MyAccount.

There are several well-known security identifiers that map to predefined accounts, which are however localized.
For example, on an U.S. English system, the account of the local group of administrators is Administrators, whereas on a German system it is called Administratoren.

These accounts can be specified independent of their localization as follows:

\MyDomain\RIDAlias

Usd for a predefined Windows domain‑specific account. MyDomain is the Windows domain the system is part of. The domain-related RIDAlias can have one of the values listed under List of RIDAlias Values. Note that only a subset of these accounts may exist on a single system.

\SIDAlias

Used for a predefined built-in account or special account. SIDAlias can have one of the values listed under List of SIDAliassidalias Values.

Hint: You can use parameters when defining an account. For example, define the PrimaryDomain parameter as follows:

PrimaryDomain=&HKLM\software\microsoft\windows nt\CurrentVersion\Winlogon\CachePrimaryDomain

\$(PrimaryDomain)\Domain Users

Will be resolved to the predefined global domain users account of the Windows domain the target computer is a part of.

\$(%COMPUTERNAME%)\Administrator

Will be resolved to the target computer’s predefined local administrator account.

Access_mask

Specifies the access in hexadecimal format (eight positions). The critical values for the access masks are:

For example, C0000000 specifies Read and Write access.

Key

Specifies the name of key in the format SubKey1\ ...\SubKeyn

Root key

Specifies the root keys predefined by Windows NT Technology. You can assign the following root keys:

• HKEY_CLASSES_ROOT
• HKEY_LOCAL_MACHINE
• HKEY_USERS