MacOSX AIR Permissions for non-administrator user folders

Similar Messages

• Performance Tuning for non Administrator users

  Hi,
  Since i had performance issue on my cube i have followed tutorial:
  http://www.oracle.com/technology/obe/obe_bi/bi_ee_1013/aggpersist/aggpersist.htm
  to obtain best performance using aggregate tables.
  All works, but opening NQSQuery.log i've seen that only Administrator User uses aggregate tables, and not other users. In fact:
  Administrator User:
  WITH
  SAWITH0 AS (select sum(T209.SPESA_PRES0000004A) as c1,
  T202.Sesso00000057 as c2
  from
  SA_Nominat00000090 T202, (Aggregated table)
  ag_Fatti T209 (Aggregated table)
  where ( T202.Nominativo0000005F = T209.Nominativo0000005F )
  group by T202.Sesso00000057)
  select distinct SAWITH0.c2 as c1,
  SAWITH0.c1 as c2
  from
  SAWITH0
  Other user:
  WITH
  SAWITH0 AS (select sum(T32.SPESA_PRESCRITTA) as c1,
  T32.ASSISTITO__SESSO_LVLDSC as c2,
  T32.TEMPO_DIM_ANNO_LVLDSC as c3
  from
  STORDO_CUBE_CUBEVIEW T32
  where ( T32.TEMPO_DIM_LEVEL = 'ANNO' and T32.ASSISTITO__LEVEL = 'SESSO' )
  group by T32.TEMPO_DIM_ANNO_LVLDSC, T32.ASSISTITO__SESSO_LVLDSC)
  select distinct SAWITH0.c2 as c1,
  SAWITH0.c3 as c2,
  SAWITH0.c1 as c3
  from
  SAWITH0
  How can I do to obtain a query similar even for a non Administrator User?
  However, in your opinion, to have a TOTAL level for all dimensions, can me help to improve performances?
  p.s. In addition, aggregate measure value is wrong. It's 900, but it must be 300, infact the total of all rows in fact table is 300 and not 900. In this way, even the report result is wrong!!! Why?
  Thanks
  Giancarlo
  Edited by: user5380662 on 10-mag-2010 4.44
  Edited by: user5380662 on 10-mag-2010 5.47

  Hi daqstudent,
  What versions of Windows (with service packs), LabVIEW, and the DAQmx
  drivers do you have?  It looks like this issue should have been
  fixed in DAQmx version 7.4.  As a work-around, you should be able
  to use the Measurement & Automation Explorer (MAX) to create
  DAQmx Global Channels, and then use those saved Global Channels in LabVIEW. The
  configuration for DAQmx Global Channels in MAX is the same as that of
  the DAQ Assistant in LabVIEW. The only experience lost is seeing the
  actual DAQ Assistant icon in LabVIEW.
  Thaison V

• How to hide the page ribbon and quichlaunch for non admin users

  HI
  1 ) how to hide the ribbon in a page in sharepoint 2010 for non administrator users  
  2) how to hide quicklaunch also for non admin users
  in quick lanuch i want to hide links for all site content also.
  i used Document Center Template to create my web application.
  adil

  HI
  i did not get how i use this control 
  <Sharepoint:SPSecurityTrimmedControl
  runat="server"
  PermissionsString="FullMask">
  2
    <div>
  3
      <SharePoint:SPLinkButton
  id="idNavLinkViewAll"
  runat="server"
  NavigateUrl="~site/_layouts/viewlsts.aspx"
  Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/>
  4
    </div>
  5
  </SharePoint:SPSecurityTrimmedControl>
  adil

• User Interface Access Customisation for non admin users

  Hi,
  It is understood that for non-admin users, some features of the Planning Interface is not enabled and this can be controlled by proper access permissions. But, is it possible to extend the customization to provide some additional features in the menu bar for an user?
  For example, if View User wants to manage task lists. Is it possible by some sort of customization? Please advise.
  Thanks.

  Hi,
  You can create right click menus, and you can also create links on the tools page. Would any of these help you?
  Here is the doc on those subjects:
  Creating and Updating MenusAdministrators can create right-click menus and associate them with data forms, enabling users to click rows or columns in data forms and select menu items to:
  Launch another application, URL, or business rule, with or without runtime prompts
  Move to another data form
  Move to Manage Approvals with a predefined scenario and version
  The context of the right-click is relayed to the next action: the POV and the Page, the member the user clicked on, the members to the left (for rows), or above (for columns).
  When designing data forms, use Other Options to select menus available for Data Form menu item types. As you update applications, update the appropriate menus. For example, if you delete a business rule referenced by a menu, remove it from the menu.
  To create, edit, or delete menus:
  Select Administration, then Manage, then Menus.
  Perform one action:
  To create a menu, click Create, enter the menu's name, and click OK.
  To change a menu, select it and click Edit.
  To delete menus, select them, click Delete, and click OK.>
  Specifying Custom ToolsAdministrators can specify custom tools, or links, for users on the Tools page. Users having access to links can click links from the Tools menu to open pages in secondary browser windows.
  To specify custom tools:
  Select Administration, then Application, then Settings.
  For Show, select Advanced Settings.
  Click Go.
  Select Custom Tools.
  For each link:
  For Name, enter the displayed link name.
  For URL, enter a fully qualified URL, including the http:// prefix
  For User Type, select which users can access the link.
  Click Save.

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• Remote Desktop Service Manager - configure permissions for Remote Desktop Users to Send Message, Disconnect, Logoff

  Hello, dear colleagues.
  We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info). 
  Send Message, Disconnect, Logoff options works only for users in Administrators group.
  I can't to configure permissions for Remote Desktop Users, specific user or AD group. 
  To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
  RDP-Tcp, Security tab, add specific user account , AD group or configure
  advanced permissions
  for Remote Desktop Users.  
  But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
  Thanks.
  P.S. If move specific user from Remote Desktop Users group to Administrators group on
  Windows Server 2012 R2 - it works. 

  Hi,
  You can prevent administrators from changing the permissions for a connection by applying the
  Do not allow local administrators to customize permissions Group Policy setting. 
  This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
  Apart there is one command with which you can set the permission for that check the related
  article. Additionally checkthis
  thread for more detail.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SQL tab not working in V2.1 EA1 for non-DBA users -- how to fix?

  In v2.1 EA 1 the tab to show the SQL script (DDL) in the object browser is not working for non-DBA users. In the prior version, these users would see a message about DBMS_METADATA and then the message would indicate that an "internal generator" would be used to generate the DDL script. After that brief message the DDL would show up as expected. This doesn't seem to be the case in the newest version.
  I issued the following two grants to a particular user which worked, but I am reluctant to issue the grants to "PUBLIC".
  SQL> grant execute on DBMS_METADATA to XXXXX;
  SQL> grant select_catalog_role to XXXXX;
  So, my questions are:
  1) Will the old functionality (that didn't require these privileges) be added to V2 at some point?
  2) What security implications are there for issueing the above grants to PUBLIC?
  NOTE: After granting execute on the DBMS_METADATA package, it still didn't work. I left that grant in place and granted SELECT_CATAOG_ROLE, so I can't say for sure that the 1st grant was required.
  Edited by: user615070 on Nov 19, 2009 9:30 AM
  Edited by: user615070 on Nov 19, 2009 10:06 AM

  An OEM account is separate from the database account. You need to use OEM UI to create an OEM account, however, for certain tasks to be done in the databases which OEM is monitoring they will also require separate database accounts within those databases. For example, to view the performance tab in OEM UI, a database account is required.
  OEM only has two types of users, i.e. Super Administrator and Administrator, but don't go by the names. You can grant an OEM 'Administrator' account access to specific targets and what they can do within OEM, such as only viewing reports, targets, and so on. For access within a database, the user created need not be a DBA either.
  I hope you understand.

• App is getting damaged when I replace it as non-administrative user

  Hey people,
  When I want to update e.g. VLC Player, as an administrator, it is simple: I just download the dmg, mount it and drop the new version of the VLC.app into the Applications folder to replace the old VLC.app. Few days ago I created a new admin account and changed my old account  to normal user. If I want to install new software that I did not use before, everything works as expected: when I drop an .app package into the Applications folder, I need to type in the admin login and password to allow this operation, then the package will be copied and I can start the new app.
  My problem:
  If I want to update the software by replacing the app as non-administrative user, the system first will promt me to keep both files, replace an older one or to stop - so far so good. BUT, when I select to replace, the copying process actually begins before the administrator prompt and it results in corrupted file. I also tried to create a new user account. So then I need first to remove the broken app (admin prompt once again) and then to install the new one (3rd admin prompt).
  I attached some screenshots to visualize the issue. I have the same issue on two different macs with different  user/admin names. I hope you have any idea how can it be fixed.
  1. I download the package:
  2. Mount the package:
  3. Drag the VLC app to the Applications folder (selecting >Authenticate in the prompt)
  4. Copy prompt (>Replace):
  5. Authenticate with administrative user
  6. Error message:
  7. Corrupted file:

  Thanks, you helped me. I had gotten hung up on '--user = <vboxuser>' in the ExecStart line, which works for one of my other services, but not this one.

• Can't install add-in for non-administrator

  Hello all,
  I'm having trouble getting the Adobe Connect add-in installed under a non-administrator user's account. I found a successful method of installing it in this thread, but that method is no longer working for me. As the forum in question is currently down, I'll paste the post below:
  I know this is an old thread, but we recently had this issue. Our users do not have the ability to install software, and using admin credentials at the UAC prompt installed it in the admin's profile, instead of the user's.
  Here's how we solved it and made it per computer on Vista SP2. All without turning UAC off.
  1) Log in as an admin and install the Connect Add-In.
  2) Browse to the plug-in directory; directory should contain 1 .exe and 1 .s. **Note, there is a space in ...\Flash Player\...**
  C:\users\%your_admin_account%\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin6x5\
  3) Run the connectaddin6x5.exe file, which will create 2 .dll files. It will also launch a window, which is okay to close after the 2 .dll files have been created.
  4) Copy "\www.macromedia.com\bin\connectaddin6x5\*.*&quot; to a central location for easier access.
  5) Copy "\www.macromedia.com\bin\connectaddin6x5\*.*&quot; to c:\users\default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin6x5\*.*
  **When any new user to the system logs in and their profile is generated, this will include the Connect Add-In plugin
  6) For users who already have a profile, we created a simple .bat script to xcopy the directory structure and files created in Step 4 to "C:\Users\%UserProfile%\AppData\Roaming\Macromedia\Flash Player\"
  7) Have the user run the script once and the plug in will be installed for the user.
  8) Log in to/Refresh the meeting.
  I hope this helps. If there's a better way to do this without disabling UAC, I'm interested. Or maybe an MSI to push with GPO. Or even a Setup.exe that can be run with User privileges. But with 10-15 users per computer and 100+ computers, this was our best solution.
  Evan Franklin
  Field Service Engineer, SAIC
  The computer that I used this method on had the add-in working fine until a few days ago, when the add-in stopped being recognized. Repeating the process yielded no results. When installed as an administrator it works fine, and launching the browser under administrator credentials allows the add-in to run, but this is not an acceptable solution for the long-term.
  Any help would be much appreciated.

  Having the same problem has anyone come up with a fix yet?
  Since the connect 9 update to our hosted account we can no longer use in the connect add-in for meetings. we lose all the screen sharing option that we once had working fine.

• Allow a windows non-administrator user to run cmd.exe as administrator without sharing administrator password with the user

  I have standalone Windows 2003 and 2008 Oracle database servers (they are not in a Windows domain environment ). The Oracle DBAs can perform all their routine activities from command line with administrator privileges. For this i've to either share administrator
  user password with the Oracle DBAs or add their windows login user to Administrators group. If i can give the DBA user permission to run windows command prompt without sharing administrator password, i can give them non-administrator login access to Windows
  2003/2008 server. Normally when a non administrator user would try to run a program as administrator on Windows 2008, the user is prompted to input administrator username/password. Is it possible to give non-admin user access to run a program/application (cmd.exe
  in this case) on Windows 2003/2008 without sharing administrator credentials with them?

  With the OTORISER application I developed, normal users can run applications with admin privilege …  
  Otoriser is totally free ! Applications, mmc consoles, control panel cpl files can be run under admin and system context with Otoriser. Let’s say you donot want your users to be admin in their machines, but want them to run some applications with admin rights.
  If this is the case then you are on the right blog.
  There are two components for Otoriser. Management and client components. There are no complex implementation and no frustrating steps to be performed. Within 10 minutes you can start testing the results
  After you download the setup files, install client components in the client by running it directly (or any deployment method you have), it will take about 5 seconds to install it. Then, let’s say you want your user to change system properties of the machine.
  With the tool provided in Admin package produce the hash of system.cpl file and enter that hash into the group policy (details are provided in documentation). When policies are applied for that user then he or she can run that control panel applet under admin
  context but donot forget that the user is still an ordinary user.
  download link :
  http://burakuysaler.wordpress.com/2013/02/21/with-the-otoriser-application-that-i-developed-normal-users-can-run-applications-with-admin-priviledges

• Acrobat 7 requires admin password at every launch for non admin users?

  acrobat 7 requires admin password at every launch for non admin users?
  any one with a solution or similar problem?
  thanks for any help.

  I've been avidly following all of the threads regarding this issue...yet none of the solutions have worked for me. I've got 11 Mac users that do not use the Creative Suite..only Acrobat, Quark, etc. I've tried installing and re-installing through both Admin and User accounts, I've tried the AdobeBib XML change, I've tried enabling Root and installing, changing permission on the Acrobat folder, etc. all to no avail. I still get asked for Admin Authentication every time Acrobat and Distiller are opened (except on the Admin account side). This is happening on one particular Mac (G4, 1GB Ram, OS 10.4.3) for both Acrobat Standard 6 and 7 as well. The biggest issue that also happens in tandem with the Acrobat installs is the inability to print from Quark. I get the following error when printing: "The process "pictwpstops" terminated unexpectedly on signal 6." Because of the necessity to print Quark documents, I have uninstalled all Acrobat on the machines until we can get a fix. This resolves the printing problem with Quark. The only option left is to set up all users as Admin accounts - which I really do not want to do. Any other suggestions out there? I've got more information available if needed.

• I received a notice that there is an update for my Lightroom 5. I have the non-creative cloud version. Is the update available for non-cloud users? It says to download click the link and it takes me to Cloud free trial screen.

  I received a notice that there is an update for my Lightroom 5. I have the non-creative cloud version. Is the update available for non-cloud users? It says to download click the link and it takes me to Cloud free trial screen.

  It is the same installer. You can run it as 30-days trial (CC version) and decide later for CC or stand-alone. To license as stand-alone, follow this guide.
  If you already have the LR6 license key, you can enter it during setup and do not need to follow the guide.

• Can I burn photos onto a DVD/CD for non-Mac users?

  Can I burn photos onto a DVD/CD for non-Mac users? 

  You can burn a plain CD/DVD by just dragging the photos there; but, that may or may not be playable by everyone. To be sure that the result would be playable in any computer or CD/DVD player, it would be better to use either one of the apps already on your system - such as iPhoto. I don't use that myself - I use other third party software - but take a look at iPhoto help. And, you could make it more interesting by creating a slideshow - also in iPhoto, or iMovie. To give it the final cool touch, bring it into iDVD to give it a polished look if you'd like. You can burn it then from any of the above.
  If you happen to have Toast (an excellent burning app), you could use that as well (that is my preferred way to work). In Toast, you have multiple choices: burn a data CD/DVD for Mac only, for Mac & PC, etc, burn a picture CD, video DVD, etc, etc.

• Solved - How to take ownership and change permissions for blocked files and folders in Powershell

  Hello,
  I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
  file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
  I was not able to find any information about someone successfully using native PS to resolve the issue.  As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
  Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
  Problem: 
  Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
  PS C:\> Get-Acl -path F:\testpath\locked
  Get-Acl : Attempted to perform an unauthorized operation.
  + get-acl <<<< -path F:\testpath\locked
  + CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
  If you create a new ACL and attempt to apply it using Set-Acl, you get:
  PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
  Set-Acl : Attempted to perform an unauthorized operation.
  At line:1 char:8
  + Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
  + CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
  How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
  Tony

  Hello,
  Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
  Example:  Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
  #Script to Reset MyDocuments Folder permissions
  $domainName = ([ADSI]'').name
  Import-Module "PSCX" -ErrorAction Stop
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  #Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
  $Directorypath = "F:\Userpath" #locked user folders exist under here
  $LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
  Foreach ($Locked in $LockedDirs) {
  Write-Host "Resetting Permissions for "$Locked.Fullname
  #######Take Ownership of the root directory
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  $Locked.SetAccessControl($blankdirAcl)
  ###################### Setup & apply correct folder permissions to the root user folder
  #Using recommendation from Ned Pyle's Ask Directory Services blog:
  #Automatic creation of user folders for home, roaming profile and redirected folders.
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"
  $fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
  $DirACL = New-Object System.Security.AccessControl.DirectorySecurity
  #Administrators: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
  #System: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
  #Creator Owner: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
  #Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
  #$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
  #Remove Inheritance from the root user folder
  $DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #Set permissions on User Directory
  Set-Acl -aclObject $DirACL -path $Locked.Fullname
  Write-Host "commencer" -NoNewLine
  ##############Restore admin access & then restore file/folder inheritance on all subitems
  #create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
  #$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
  $NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
  $subFileACL = New-Object System.Security.AccessControl.FileSecurity
  $subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
  $subFileACL.SetOwner($NewOwner)
  $subDirACL.SetOwner($NewOwner)
  ######## Enable inheritance ($False) and not copy of parent ACLs ($False)
  $subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  $subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #####loop through subitems
  $subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
  foreach ($subitem in $subdirs) {
  #take ownership to insure ability to change permissions
  #Then set desired ACL
  if ($subitem.Attributes -match "Directory") {
  # New, blank Directory ACL with only Owner set
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankdirAcl)
  #At this point, Administrators have the ability to change the directory permissions
  Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
  } Else {
  # New, blank File ACL with only Owner set
  $blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
  $blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankfileAcl)
  #At this point, Administrators have the ability to change the file permissions
  Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
  Write-Host "." -NoNewline
  Write-Host "fin."
  Write-Host "Script Complete."
  I hope you find this useful.
  Thank you,
  Tony
  Final Thought: There are great non-PS tools like
  Set-Acl and takeown which are external to PS & can also do the job wonderfully.  It may be much simpler to call those tools than recreate the wheel in pure
  code.  Feel free to use whatever best suits your time, scope & cost.

• Reader 9.5.1 Crashes after a few seconds for non-Admin users

  I have Adobe Reader 9.5.1 installed on some Citrix XenApp 5.0 servers that are Windows 2003.  Any time a non-admin user launches Reader it is open for a matter of seconds and then crashes.  It shows a Dr Watson crash in the error logs each time. If I logon as an Administrator, it works just fine.  I've tried reinstalling/repairing the installation to no avail. 
  Has anybody run into this in the past or does anyone have any ideas on how to fix it?

  My company is into same issue but thing is that I cannot uninstall the MS patch as it will be vulnerability for our servers and we have opened a case with MS and they have reveiwed the proc dump and now MS is asking to get this reviewed with Adobe. I'm not sure how to reach out to Adobe Support to get the fix from them. Any solution on this regard, it will be great help. Thanks, Sayed.