LockPermissions 表LockPermissions Table

LockPermissions 表用于保护锁定环境中应用程序的各个部分。The LockPermissions Table is used to secure individual portions of an application in a locked-down environment. 它可以与安装文件、注册表项和创建的文件夹一起使用。It can be used with the installation of files, registry keys, and created folders.

用于在 Windows Server 2008 R2 或 Windows 7 中安装的包应使用 MsiLockPermissionsEx 表 ,而不是 LockPermissions 表。A package intended for installation in Windows Server 2008 R2 or Windows 7 should use the MsiLockPermissionsEx Table rather than the LockPermissions Table. Windows Installer 早于 Windows Installer 5.0 的版本忽略 MsiLockPermissionsEx 表。Windows Installer versions earlier than Windows Installer 5.0 ignore the MsiLockPermissionsEx Table. Windows Installer 5.0 可以安装包含 LockPermissions 表的包。Windows Installer 5.0 can install an package that contains the LockPermissions Table. 从 Windows Installer 5.0 开始,安装包含 MsiLockPermissionsEx 表和 LockPermissions 表的包将失败,并返回 Windows Installer 错误消息1941。Beginning with Windows Installer 5.0, installation of a package that contains both the MsiLockPermissionsEx Table and the LockPermissions Table fails and returns Windows Installer error message 1941.

LockPermissions 表包含以下列。The LockPermissions Table has the following columns.

Column 类型Type Key NullableNullable
LockObjectLockObject 标识符Identifier YY NN
Table 文本Text YY NN
DomainDomain Formatted YY YY
用户User Formatted YY NN
权限Permission DoubleIntegerDoubleInteger NN YY

Columns

LockObjectLockObject

此列和表列一起指定要保护的文件、目录或注册表项。This column and the Table column together specify the file, directory, or registry key that is to be secured. LockObject 列是一个外键,它指向表列指定的表的主键。The LockObject column is a foreign key that points to the primary key of the table specified by the Table column.

数据表Table

此列和 LockObject 列指定要保护的文件、目录或注册表项。This column and the LockObject column specify the file, directory, or registry key that is to be secured. 在 "表" 列中,输入 File、Registry 或 CreateFolder 以指定 文件表注册表表CreateFolder 表中列出的 LockObject。In the Table column, enter File, Registry, or CreateFolder to specify a LockObject listed in the File Table, Registry Table, or CreateFolder Table.

域名Domain

标识要为其设置权限的用户的域的列。The column that identifies the domain of the user for which permissions are to be set. 这是独立计算机的名称或域名。This is the name of a stand-alone machine or a domain name. 列数据类型已经过 格式设置,您可以 [ ] 在此字段中使用字符串% USERDOMAIN 获取当前域的 USERDOMAIN 环境变量的值。The column data type is Formatted, and you may use the string [%USERDOMAIN] in this field to get the value of the USERDOMAIN environment variable for the current domain. 若要获取任何其他域,需要使用 自定义操作To get any other domain requires using Custom Actions. 有关详细信息,请参阅自定义操作表。For more information, see the Custom Action Table.

用户User

标识要为其设置权限的用户的本地化名称的列。The column that identifies the localized name of the user for which permissions are to be set. 此名称必须位于计算机或域中。This name must be located on the machine or domain. 如果计算机或域控制器无法识别域和用户组合,或者无法检索到用户的安全标识符 (SID) ,则安装将失败。The installation fails if the machine or domain controller does not recognize the domain and user combination or if the user's security identifier (SID) cannot be retrieved. 可以为单个 LockObject 指定多个用户。Multiple users can be specified for a single LockObject.

常见用户名 "Everyone" 和 "管理员" 可以输入英语,并映射到众所周知的 Sid。The common user names "Everyone" and "Administrators" may be entered in English and are mapped to well-known SIDs. LocalSystem 在通过 LockPermissions 表创建的所有安全描述符中提供完全控制。LocalSystem is given full control in all security descriptors created through the LockPermissions Table. 您可以在此字段中使用 ComputerName 属性LogonUser 属性用户名属性 来获取当前用户。You can use the ComputerName Property, LogonUser Property or USERNAME Property in this field to get the current user. 需要自定义操作才能输入任何其他用户或组的本地化名称。A custom action is required to enter the localized name of any other user or group.

您可以使用具有相同 LockObject 和表项的多个记录 (但不同的用户条目) 为多个用户指定访问控制列表。You can use multiple records with identical LockObject and Table entries (but different User entries) to specify access control lists for multiple users.

允许Permission

标识系统权限的整数说明的列。The column that identifies the integer description of system privileges. 下面给出了最常使用的值, (Winnt) 中存在完整列表。The following gives the most commonly used values (a complete list exists in Winnt.h).

PrivilegePrivilege 描述Description
_全部通用GENERIC_ALL
0X100000000X10000000
268435456268435456
读取、写入和执行访问Read, write, and execute access
泛型 _ 执行GENERIC_EXECUTE
0X200000000X20000000
536870912536870912
执行访问Execute access
泛型 _ 写入GENERIC_WRITE
0X400000000X40000000
10737418241073741824
写入访问权限Write access

不能 _ 在权限列中指定泛型 READ。You cannot specify GENERIC_READ in the Permission column. 尝试这样做会失败。Attempting to do so will fail. 相反,您必须指定一个值,如 _ 读取、读取或读取文件 _ _ 。Instead, you must specify a value such as KEY_READ or FILE_GENERIC_READ.

在此列中输入的 Null 保留供将来使用。Null entered in this column is reserved for future use.

备注Remarks

序列表中的 InstallFilesWriteRegistryValuesCreateFolders操作处理此表中的信息。The InstallFiles, WriteRegistryValues, and CreateFolders actions in sequence tables process the information in this table. 有关使用 序列表 的信息,请参阅 使用序列表For information about using sequence tables, see Using a Sequence Table.

只能在 LockPermissions 表中为计算机或域中已经存在的用户设置权限。Permission can only be set in the LockPermissions Table for users that already exist on the computer or domain. 尝试为未知用户设置权限会导致安装失败,即使该用户帐户是在安装过程中通过延迟自定义操作创建的。An attempt to set permissions for an unknown user causes the installation to fail, even if that user account is created during the installation by a deferred custom action.

建议在所有访问控制列表中包括系统管理员的本地组 (ACL) 。It is recommended that the system administrator's local group be included in all access control lists (ACL). 这可确保系统管理员可以访问和维护对象。This ensures that the system administrator can access and maintain objects.

LockPermissions 表中列出的每个文件、注册表项或目录都接收显式安全描述符,无论是否替换现有对象。Every file, registry key, or directory that is listed in the LockPermissions Table receives an explicit security descriptor, whether it replaces an existing object or not. Windows Installer 尝试保留系统上已存在的对象的安全性。The Windows Installer attempts to preserve the security on objects that already exist on the system. 如果对象未在 LockPermissions 表中列出,并且替换了现有对象,则替换将获取它所替换对象的安全设置。If an object is not listed in the LockPermissions Table, and replaces an existing object, the replacement gets the security settings of the object that it replaces.

如果对象未在 LockPermissions 表中列出,并且不替换现有的对象,则它不会收到显式安全描述符。If an object is not listed in the LockPermissions Table, and does not replace an existing object, it receives no explicit security descriptor. 对新对象的访问基于其父对象或容器对象的特性。The access to the new object is based on the attributes of its parent or container object. 如果某个对象未在表中列出,并且替换了没有显式安全描述符的对象,则对该新对象的访问基于其父对象或容器对象的特性。If an object is not listed in the table, and replaces an object with no explicit security descriptor, the access to the new object is based on the attributes of its parent or container object.

Windows Installer 将 UserSID 属性设置为 (SID) 或运行安装的用户的安全标识符。The Windows Installer sets the UserSID property to the security identifier (SID) or the user running the installation.

验证Validation

ICE03ICE03
ICE06ICE06
ICE46ICE46
ICE55ICE55