I have an MSI that is pushed through Intune and installed on users' computers. This MSI is basically a flash browser needed for a specific webapp. What i need to do is to create a custom shortcut and input a url in the target of the shortcut forcing the browser to that website (because the browser does not have a place to enter a URL).
I have no issues creating the shortcut, however i want to make sure that a user can't go in and modify the target by right-clicking the shortcut and changing the URL parameter allowing them to browse google or facebook or whatever through this browser.
this is what i currently have for the shortcut:
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("C:\Users\Public\Desktop\Browser - PROD.lnk")
$ShortCut.TargetPath="C:\Program Files (x86)\Company\CompanyBrowser.exe"
$ShortCut.Arguments='-URL "https://company.url"'
$ShortCut.Save()
I popped the shortcut onto the public desktop so that standard users could not modify it, however some of these users are local admins on their machine. What i was hoping was to change the security tab in the properties of the shortcut to allow the local administrator account only access to read/execute, but not modify this shortcut.
I am playing around with ACL function , but it seems that it's all or nothing and when i run the following script, it completely blocks the shortcut from even being executed
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemRights = "Modify"
$type = "Deny"
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
$ProdACL.SetAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL
I'm no powershell expert but i believe i am close and perhaps not using the right parameters with ACL.
any help would be MUCH appreciated.
@Doug Maurer is right.
You need to remove the inheritance first by preserving rules :
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$ProdACL.SetAccessRuleProtection($true, $true)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL
The first $True for the SetAccessRuleProtection method is blocking inheritance ($False to inherit) and the second is to copy the inherited rules ($False to clear inherited rules). The second value is ignored if the first one is set to $False.
Then, remove the rule that give Administrators the FullControl :
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemRights = "FullControl"
$type = "Allow"
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
$ProdACL.RemoveAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL
Notice that you have to get the ACL again once you had setted it to block inheritance.
I have copied your code, but it can be simplified as this (with inheritance blocking here) :
#Block Inheritance
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$ProdACL.SetAccessRuleProtection($true, $true)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL
# Set new ACL
$ProdACL = Get-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk"
$identity = "BUILTIN\Administrators"
$fileSystemAccessRule = $ProdACL.Access | Where IdentityReference -eq $identity
$ProdACL.RemoveAccessRule($fileSystemAccessRule)
Set-Acl -Path "C:\Users\Public\Desktop\Browser - PROD.lnk" -AclObject $ProdACL