Open Software Solutions

Assume that Denise Smith logs on to her Windows Vista-based computer and that she creates a new directory on her external hard disk (drive D). Denise names the directory FamilyPictures. Later, Denise’s son, Brian, logs on to the computer. Brian creates a new directory that is named SummerVacationPics in the FamilyPictures directory. Then, Brian saves several pictures in the SummerVacationPics directory. If the Windows XP DACL settings are applied to the SummerVacationPics directory, Denise cannot edit any of the pictures in the SummerVacationPics directory. This behavior occurs because the DACLs mark Brian as the only user who has Write permissions. However, DACL default behavior has been changed in Windows Vista. Therefore, in Windows Vista, Denise can perform photo editing tasks on the pictures in the SummerVacationPics directory.

These DACL changes let users share and edit files without specifying the credentials in the User Account Control dialog box. Additionally, users can manually make a directory private. This feature guarantees that users can easily maintain data confidentiality and data integrity on data drives. Private directories are readable by an administrator if the administrator has been granted elevated mode permissions. The elevated mode feature should be used to keep data private from standard users. The Windows Vista DACL settings are applied during installation, and they are migrated to any detected drive that meets one of the following criteria:

Back to the top

Tool updates

The Convert.exe and Format.exe command-line tools have been changed in Windows Vista to include new options for the new DACL settings. However, these tools cannot convert existing Windows XP DACL settings to the Windows Vista DACL settings. To change an existing Windows XP DACL setting to a Windows Vista DACL setting, you must use the Cacls.exe command-line tool in Windows Vista. For example, the following command converts existing Windows XP DACL settings on the D: data drive to Windows Vista DACL settings:

Cacls D: /s:D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;SDGXGWGR;;;AU)(A;OICI;GXGR;;;BU)

Back to the top

DACL settings in Windows Vista

Use the following table of abbreviations to determine the results of access control entry (ACE) inheritance.

Access control entry inheritance abbreviations

Windows XP %systemroot% directory and data drive DACL settings

The following are the default DACL settings for the %systemroot% directory and for the data drive in Windows XP.

Windows Vista data drive DACL settings

The following are the new Windows Vista DACL settings for data drives that are created by using the Format.exe program.

Windows Vista %systemroot% directory DACL settings

Back to the top

How to disable data drive migration when you build your image

In some environments, you may not want to convert the ACLs of your data drives. Scenarios in which you may not want to convert the ACLs of your data drive include the following:

Note The Windows Automated Installation Kit (WAIK) contains a set of deployment tools. Guidance about how to use the deployment tools is available from the Microsoft Download Center. WAIK is targeted at corporate customers who are doing automated Windows deployment. For more information about WAIK, visit the following Web site:

To disable data drive migration, follow these steps.

1.	Create a directory to store the Windows Imaging Format (WIM) file. For example, create a C: VistaRTM WIM directory.
2.	Create a directory to store the uncompressed operating system image. For example, create a C: VistaRTM OS directory.
3.	Copy the applicable Install.wim file to the temporary WIM directory that you created in step 1. For example, type the following command at a command prompt to copy the Install.wim file from the Windows Vista installation media: Copy e: sources install.wim c: VistaRTM WIM install.wim
4.	Copy the image filter driver from the WAIK deployment tools to the C: VistaRTM Driver directory. To do this, follow these steps: a. Click Start , type cmd in the Start Search box, right-click cmd.exe in Programs list, and then click Run as administrator. If you are prompted for an administrator password or for confirmation, type the password, or click Continue. b. At the command prompt, type the following commands. Press ENTER after each command. cd c: VistaRTM Driver wimfltr.sys
5.	At the elevated command prompt, mount the applicable .wim image. For example, type the following command at the command prompt: Imagex.exe /MountRW c: VistaRTM WIM install.WIM 1 c: VistaRTM OS Note 1 is the value of the image index in the Install.wim file. Because the Install.wim file can list multiple Windows edition images, you should use the imagex /info install.wim command to display all the Windows editions in the Install.wim file. When you have identified the correct index for the Windows edition, use that value together with the /MountRW command. For more information about the ImageX tool and about WIM, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx (http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx)
6.	Edit the system registry hive for the WIM image. To do this, follow these steps. Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (/Feedback.aspx?kbNumber=322756/) How to back up and restore the registry in Windows a. Click Start, type regedit in the Start Search box, and then click regedit in the Programs list. If you are prompted for an administrator password or for confirmation, type the password, or click Continue. b. In Registry Editor, locate and then click HKEY_LOCAL_MACHINE, and then click Load Hive on the File menu. c. In the Load Hive dialog box, select the SYSTEM directory in the Windows Vista directory, and then click Open. For example, select the C: VistaRTM OS Windows System32 config SYSTEM directory. d. Type TEMP_HKLM in the Key Name box to create a temporary HIVE entry, and then click OK. e. Locate and then click the following registry subkey. HKEY_LOCAL_MACHINE TEMP_HKLM Setup f. On the Edit menu, point to New, and then click DWORD Value. g. Type DDACLSys_Disabled, and then press ENTER. h. Right-click DDACLSys_Disabled, and then click Modify. i. In the Value data box, type 1, and then click OK.
7.	After you modify the image, seal the image. To do this, type the following command at a command prompt: imagex.exe /UnMount /commit c: VistaRTM OS
8.	Replace the original Install.wim file by using the modified image. To do this, type the following command at a command prompt: copy C: VistaRTM OS install.wim E: sources install.wim

Back to the top

How to define a protected drive DACL

Restrict file and directory creation for standard users

To specify that standard users cannot create directories or files outside their user profiles, run the following command at an elevated command prompt:

Enable standard users to create top-level directories

To specify that standard users can create top-level directories and that they will be the owners of a directory and all its subdirectories, run the following command at a command prompt:

Back to the top

How to define a protected directory for a specific user

To specify that only a specific user can access a file or a directory outside the user profile, follow these steps:

The following sample commands use the PersonalSecureFolder directory. This directory is located in the D: directory.

BUILTIN Administrators:(I)(F)BUILTIN Administrators:(I)(OI)(CI)(IO)(F)NT AUTHORITY SYSTEM:(I)(F)NT AUTHORITY SYSTEM:(I)(OI)(CI)(IO)(F)NT AUTHORITY Authenticated Users:(I)(M)NT AUTHORITY Authenticated Users:(I)(OI)(CI)(IO)(M)

HomePC Denise:(F)HomePC Denise:(OI)(CI)(IO)(F)NT AUTHORITY SYSTEM:(F)NT AUTHORITY SYSTEM:(OI)(CI)(IO)(F)BUILTIN Administrators:(F)BUILTIN Administrators:(OI)(CI)(IO)(F)

Back to the top