View Full Version : LockPermissions: How to give the Administrators group all access on NT 4?

05-13-2002, 12:07 PM
After much wailing & gnashing of teeth, I finally figured out that the default value of "Directory" that IS 7 puts in the Table column of a new row in LockPermissions is incorrect. It should be CreateFolder.

Anywho, now that I can let the IUSR_[ComputerName] user get at the installed folder, I need to explicitly let the Administrators group do it as well. Entering "Administrators" in the User column does not work; NT 4 errors saying there is not user with that name. I also tried the Win2000 "Well-Known SID" S-1-5-32-544, with no luck.

Can someone tell me how to get the SID for "Administrators", or what to put in that column to get what I want?


05-13-2002, 03:20 PM
Do you use Windows Installer 2.0?

The documentation for the "User" column of the LockPermissions table says:

"With Windows Installer version 2.0 or later, the common user names "Everyone," and "Administrators" may be entered in English and are mapped to Well-Known SIDs. LocalSystem is given full control in all security descriptors created through the LockPermissions table. You may use the ComputerName property, LogonUser property, or the USERNAME property in this field to get the current user. A custom action is required to enter the localized name of any other user or group."

If there is indeed a bug that prevents you from doing this, then you could retrieve the name from the well-known SID for Administrators using a CA that calls a DLL function that uses the Microsoft APIs AllocateAndInitializeSid() and LookupAccountSidW().

05-13-2002, 04:35 PM
Thanks. Again, I'm installing on NT v4, so it may be that even Installer v2.0 doesn't support the new groups listed on that platform. It seems to work on Win2k

I'll try leaving the Domain column blank, with User="Administrators" to see if that works. Curiously, if I set the permissions using CACLS.EXE (my backup), then use CACLS to view the permisssions, the username changes from "Administrators" to "BUILTINS\Administrators".

Thanks for the lead on the 2 DLL calls; they may come in handy.


05-13-2002, 04:46 PM
I do use cacls.exe to set file and directory permissions myself, and I haven't had any problems with that.

Just make sure you don't "hard-code" any names of built-in users/groups, as they vary depending on the language (and can even be renamed).