During a beta test, a customer installed some software of ours which accidentally modified the permissions of the All Users/Application Data folder on about 500 computers. They deployed the software using Altiris. The permissions got changed and began causing issues for applications like antivirus software which wanted to write data to that folder.
The permission change was not recursive. As a test we created a version of the software they could install as a patch which gave the "everyone" user full control. This resolved the issues with antivirus software but now the permissions are insecure.
In my MSI tool creator (Advanced Installer) I can get really close to replicating the default windows settings with the exception being the entry indicated by the green arrow below.
alt text http://www.blakerobertson.com/storage/perm/ApplyOnlyToFolders.png
Any advice from the system admins on how they would go about resetting the permissions? The customer can use the Altiris management software to execute a utility of sorts if someone knows of one.
Try xcacls.vbs (http://support.microsoft.com/kb/825751). It is a free VBScript command-line utility from Microsoft that is similar to the cacls command, but with more options. It has the ability to apply more fine-grained permissions than cacls, but read the instructions (displayed by typing the command without any options: cscript xcacls.vbs) carefully; they are quite complex! It does have the ability to apply permissions only onto "This folder and subfolders"; I've used it before to do exactly that.
If you are running Windows Vista or later, the included icacls utility (http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx) might be more appropriate.
Once you have crafted the proper command (using either tool), put it into a *.cmd script, and then add the script to a Group Policy Object in order to apply it to the machines via Group Policy. Note that you will also have to somehow load xcacls.vbs onto every machine if you go that route. This could be accomplished by including a command to download the xcacls.vbs script from a file share and save it locally in the same *.cmd script where your permission-setting command resides (or you could perhaps try running it directly from a file share).
You can correct this using a GPO pretty easily.
If they want to use Altiris, then setup a job to use cacls.exe to reset the rights on the folder.
Here is the resulting code based on Jay Michaud's suggestion.
I ended up adding a custom action to my installer. That ran after files were copied over. If you do that you'll want this code below and you'll want to pipe in as arguments: APPDIR|CommonAppDataFolder. (yes that's a pipe delimiting them)