JeffRozar

We are writing to the CSIDL_COMMON_APPDATA location as recommended. However, multiple users need to write to the same file, but when the file is created by logouser1, logouser2 has no rights to it.

Any ideas on how to solve this "common" problem


Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

Bruce N. Baker - MSFT

At this point, I'm not sure if there exists a the standard way to do this but I found out that if you want to share data then store it in a location specified by an environment variable and set the ACL on the file for BUILTIN\Users to Full access for that file. But that also means that anyone can modify this file. You can also write to the commondata which apparently is the programdata directory under the root (but not visible if you try to dir it on the command line). Otherwise, only the creator of the file will be allowed to modify it. You could set individual ACLs if you wanted to. That's an exercise left up to you. You can also use the expandenvironmentvariables("%PUBLIC%) to get you to the public directory. I haven't tried playing with a shared file there yet.

I did notice an oddity that if I delete the file in cmd prompt once it was "unprotected" that I was not able to create that file again. That was strange. I haven't tried to programatically delete it yet.

At this point this isn't an "official" answer.






Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

JeffRozar

I think we solved it by using CACLS to fix the problem. We just added Everyone with Full Control.




Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

AndyCadley

JeffRozar wrote:
We just added Everyone with Full Control.

There are potential security and stability issues with that. It's better to give the built in Users group Modify permissions (i.e. Read/Write only).





Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

Bruce N. Baker - MSFT

I totally agree. Good answer.




Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

JeffRozar

AndyCadley wrote:

JeffRozar wrote:
We just added Everyone with Full Control.

There are potential security and stability issues with that. It's better to give the built in Users group Modify permissions (i.e. Read/Write only).



What about Everyone just Read/Write




Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

AndyCadley

There are a bunch of edge cases where Everyone will be more encompassing than the Users group (it can apply to unauthenticated users in certain configurations, or Domain Users in cases where the Users group has been specifically constrained). In pretty much all the cases where you think you want a permission granted to Everyone what you actually want is to grant it to the Users group.



Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

JeffRozar

Odd....on Vista, the icon shows up with a tag of the smaller version of the Users icon in Control Panel when any rights are added for local users.

Secondly, are domain users in the local Users group




Re: Application Compatibility for Windows Vista Create a file with Everyone full permissions?

AndyCadley

On a domain joined machine the Domain Users group is a member of the local machines Users group by default, so granting permissions to Users will still work fine in that scenario.