[Windows] Detect/change permissions to allow desktop icon delete?

(imported topic written by SystemAdmin)

Some of my users are annoyed that app installers typically add a desktop icon to C:\Users\Public\Desktop. They’d like to remove the desktop app icons they don’t want and leave the ones they do want.

I’ve figured out a command to add a permission to that directory which should let authenticated users delete files and folders within C:\Users\Public\Desktop, without letting C:\Users\Public\Desktop be deleted:

icacls c:\Users\Public\Desktop /grant 
"NT AUTHORITY\Authenticated Users":(OI)(CI)(IO)(D)

I’d like to make a TEM action (I think?) which will do two things:

  • be relevant for computers where C:\Users\Public\Desktop\ is not letting “NT AUTHORITY\Authenticated Users” delete subfolders and files of C:\Users\Public\Desktop.
  • execute the above icacls command which will add this permission.

I am new to TEM/BigFix and I don’t see how to run an arbitrary shell command (such as the above) with Action Script (assuming that’s the way to do this), and I don’t see how to write relevance to detect directory ACLs.

If you see something horribly unwise in my goals, please let me know.

Thanks for your help. Any assistance would be appreciated.

(imported comment written by SystemAdmin)

Update:

rundetached

seems to do what I was aiming to do – execute a command without a DOS command line window appearing (because this is a non-interactive task). So the action script portion of this issue appears to be answered – make a new task and set the action script to the following:

rundetached icacls c:\Users\Public\Desktop /grant 
"NT AUTHORITY\Authenticated Users":(OI)(CI)(IO)(D)

But now this task is set for all computers, and I’d prefer this task to only be relevant for computers that don’t allow “NT AUTHORITY\Authenticated Users” to delete subfolders and files of C:\Users\Public\Desktop.

Any tips (e.g., here’s how you do this) or warnings (e.g., here’s why you should not do this) to implement this as relevance? My plan is to change my task to only be relevant so I get a running inventory of computers where doing this makes sense and is likely to work.

(imported comment written by SystemAdmin)

I think I’m getting closer but I’m not getting the results I expected to get.

I’ve set the relevance to:

not effective delete child permission 

for 
"NT AUTHORITY\Authenticated Users" of dacl of security descriptors of folder 
"C:\Users\Public\Desktop"

and my Action Script is

rundetached icacls c:\Users\Public\Desktop /grant 
"NT AUTHORITY\Authenticated Users":(OI)(CI)(IO)(D)

I can get the result I think I want with this Action Script (barring doing anything unwise). But my relevance is still returning True on machines where “NT AUTHORITY\Authenticated Users” has permission to delete anything within “C:\Users\Public\Desktop” (but not delete the “C:\Users\Public\Desktop” folder itself), which is not what I expected to see.

Any advice or help?