Access problems after deploying a service settings (.dls) file operating with local user account of the target computer
DESCRIPTIONDeviceLock Service Settings file (.dls) applied on client computers prevents users from getting access to ports / device types instead of granting access to them.
COMMENTSThe issue may indicate that DeviceLock Service Settings file (.dls) created in DeviceLock Service Settings Editor, or in DeviceLock Management Console contains permissions for local users / group accounts of the target computer.
The Service Settings file (.dls) along with the name of the user / group account contains information about SID (security identifier) it has on the computer it was created on. However, on different computers user / group accounts with the same names have different SID's, and since operating system primarily operates with SID value, it can not resolve the SID which comes in the '.dls' file to a user / group name.
This makes the actual DeviceLock access permissions appear to be configured for an unknown SID, and not for the user / group name specified in the '.dls' file initially.
RECOMMENDATIONS1. Do not use service settings file (.dls) for deploying permissions containing local user accounts. Use DeviceLock Management Console to connect to each client and to configure DeviceLock permissions individually.
2. Below is the description of an undocumented feature to edit Service Settings file so its local user/group accounts could be resolved on different machines properly:
- Open DeviceLock Service Settings file with any text editor (e.g. Notepad);
- For every access permission and/or Audit/Shadowing rule there must be no SID and computer name bonded to a user name.
EXAMPLEA .dls file contains the following information
<Permission Allow="1" SID="S-1-5-21-1801907219-2944528423-2448991922-1000" AccessMask="0xffffff" TimeMask="ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" Name="p4support2\User1"/>
These Removable permissions must be changed to
<Permission Allow="1" AccessMask="0xffffff" TimeMask="ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" Name="User1"/>