2

As part of the workaround for CVE-2014-1776 I created a group policy object that applied Deny permissions to everyone on VGX.DLL. I am now trying to undo this group policy and having a lot of trouble. I first attempted to unlink the group policy and then force a group policy update, when that didn't work I also attempted to explicitly add read permissions for Everyone again, this also did not work.

If you've added Deny Everyone permissions to a file via group policy, how do you remove those to return things to the status quo?

Zell Faze
  • 343
  • 2
  • 5
  • 16

1 Answers1

4

It turned out that the problem had to do with the ownership of the file. By default the file is owned by TrustedInstaller. Because I had set all permissions to Deny to Everyone the only person who could change the permissions on the file was TrustedInstaller.

The solution in the end was to modify the Group Policy object to also change the owner of the file to Domain Administrators AND also remove the Deny permission from the GPO. It is not necessary to explicitly add an allow permission to the GPO.

Zell Faze
  • 343
  • 2
  • 5
  • 16
  • Thanks for the heads-up. I also applied a policy in the exact same manner in response to CVE-2014-1776. I have yet to remove the policy as I am still in the process of making sure all computers have the MS patch applied through our WSUS, but it's good to know it can be done. – Get-HomeByFiveOClock May 07 '14 at 04:01