I have a folder on all of our computers that I occasionally dump log files or configs to. I create that folder with some PowerShell via BigFix, and apply ACLs to only allow Admin and SYSTEM access:
#Create directory if it does not already exist
$path = "C:\Wagner"
[System.IO.Directory]::CreateDirectory($path)
#Remove inheritance
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true,$false)
#Allow SYSTEM access
$System = [System.Security.AccessControl.FileSystemAccessRule]::new(
"SYSTEM",
"FullControl",
"ContainerInherit, ObjectInherit", # inheritanceFlags
"InheritOnly", # propagationFlags
"Allow"
)
$acl.SetAccessRule($System)
#Allow Admin access
$Admins = [System.Security.AccessControl.FileSystemAccessRule]::new(
"BUILTIN\Administrators",
"FullControl",
"ContainerInherit, ObjectInherit", # inheritanceFlags
"InheritOnly", # propagationFlags
"Allow"
)
$acl.SetAccessRule($Admins)
#Remove access that may have been granted to users
$rules = $acl.access | Where-Object {
(-not $_.IsInherited) -and
$_.IdentityReference -like "AD\*"
}
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule) | Out-Null
}
$acl | Set-Acl $path
If I check the ACLs on an example computer, everything looks correct to me:
PS C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\CustomSite_Wagner\__Download> (Get-ACL C:\Wagner).Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
I can open the folder, enter the admin password, and check everything I need. However, I have an installation failing because it can’t write the log file to that folder.
[...]
createfile until _EOF_
"{parameter "desktopEXE"}" /quiet /norestart /log "c:\Wagner\tableauDesktopInstall.log" ACCEPTEULA=1 ACTIVATE_KEY="{parameter "tableauLicense"}" REMOVEINSTALLEDAPP=1
"{parameter "prepEXE"}" /quiet /norestart /log "c:\Wagner\tableauPrepInstall.log" ACCEPTEULA=1 ACTIVATE_KEY="{parameter "tableauLicense"}"
_EOF_
move __createfile tableauInstaller.bat
waithidden cmd.exe /C tableauInstaller.bat
The fixlet fails with error code -2147023274
, which seems to be because the log location is inaccessible. Indeed, if I change the log location in the install command, it completes successfully.
I believe BigFix runs as SYSTEM, which should have full access to my C:\Wagner
folder — what could be going wrong?