2

I have a powershell script which takes some data and dumps into a logfile whenever its executed.The script resides in single location and shortcut is distributed to all.

I want to log the events on the script when it's executed; How can I give the users only append access to the log file ; I don't want them deleting the logs; they only need to apped to that.

Please do let me know of any questions or clarifications.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Darktux
  • 827
  • 5
  • 21
  • 36

1 Answers1

1

You need to modify the NTFS permissions on the log file. You need to ensure that the "Create folders / append data" permission only is granted to the individuals or groups that you want to be able to only append to the log file. That setting is in the "Advanced" portion of the permissions on the file.

enter image description here

Also see: http://www.techrepublic.com/article/windows-101-know-the-basics-about-ntfs-permissions/6084446

Create Folders/Append Data: This Create Folders permission allows users to create folders within a folder. (This applies to folders only.) The Append Data permission allows users to make changes to the end of the file, but they can't change, delete, or overwrite existing data. (This applies to files only.)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Should the inheritence be disabled? – Darktux Feb 08 '13 at 17:50
  • It doesn't need to be - permissions granted explicitly on a file will take precedence over inherited permissions. An explicit deny takes precedence over an inherited allow, an explicit allow takes precedence over an inherited deny, etc. – Ryan Ries Feb 08 '13 at 17:54
  • 1
    for some reason, it doesn't work for me :( http://imgur.com/a/MpTTJ – LogicDaemon Jun 24 '15 at 08:50
  • 2
    this seem to be minimal permission set for append (via command line redirection) to work: http://imgur.com/h59bZBE. My guess is that Write is actually required for appending data, but without Append permission, you can't resize the file. – LogicDaemon Jun 24 '15 at 08:55
  • 1
    @LogicDaemon: Good find. Unfortunately, this make the whole endeavor kind of useless: Once the user has write permissions, the user can just replace the complete file contents (using `>` instead of `>>`), thus effectively deleting the log. This seems to be [a limitation of command line redirection](https://stackoverflow.com/a/56423674/87698). – Heinzi May 12 '22 at 09:19