I am a network administrator using MDT 2013 to roll out Windows 8.1 machines to my organization.  The process is working well.  The issue I'm having is that after the machine is imaged, each user that logs into the machine and tries to use a webpage in IE 11 that utilizes DOM storage doesn't work as expected.  The Developer Tools indicate that there is a "SCRIPT5: Access is Denied" on a line that tries to store something in the 'localStorage' object via JavaScript.  This page will work on other browsers, and on other Windows 8.1 computers that are running IE11 with the same internet options set.  After googling, I found this page: https://social.technet.microsoft.com/Forums/ie/en-US/066767a5-f9d5-45f4-95cf-dcd0ff030090/script5-access-is-denied-error-when-accessing-web-sites-using-localstorage and this one: http://answers.microsoft.com/en-us/ie/forum/ie10-windows_7/ie10-script5-access-is-denied/e87bdb30-7f2a-4510-bfa3-a22b995f777b Which both point to a problem with the %USERPROFILE%\AppData\LocalLow\ folder not having correct Integrity settings. 

I had to use Process Monitor to determine where the computer was attempting to create the DOMStorage folder, because it wasn't in %USERPROFILE%\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore, like the linked articles indicated, but rather in %USERPROFILE%\AppData\Microsoft\Windows\AppCache.

Troubleshooting this with icacls, I see that the correct line appears on the 'LocalLow' folder:

Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

This indicates also that it should propogate to all items created underneath it (that's what the (OI)(CI) business means).  However, when looking at the 'Microsoft' folder inside the 'LocalLow' folder, the integrity setting is missing - the 'Mandatory Label\...' line doesn't appear when checking the directory with icacls.  If I manually add the line using icacls, things work again as they should.  I cannot, however, do this for every single user on every single win8.1 machine I roll out - this needs to work out of the box.  Why is the inheritance broken?

Can anyone help me or point me in the right direction?

Thanks,

-Paul

EDIT: More troubleshooting.  I figured this problem somehow came from Inheritance being broken below the 'LocalLow' level for some reason.  After a clean image on a new machine, I logged in and verified that the setting for the 'locallow' directory was:

Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

and no integrity setting appeared for the 'Microsoft' directory inside 'LocalLow'.

I issued the command 'icacls %USERPROFILE%\appdata\locallow /setintegritylevel (CI)(OI)L', which is EXACTLY the setting the 'LocalLow' directory currently had, and now the 'Microsoft' directory has the following permissions:

locallow\microsoft NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                   BUILTIN\Administrators:(OI)(CI)(F)
                   [[MY DOMAIN\USERNAME]]:(OI)(CI)(F)
                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                   BUILTIN\Administrators:(I)(OI)(CI)(F)
                   [[MY DOMAIN\USERNAME]]:(I)(OI)(CI)(F)
                   Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW)

So, I'm again lead to believe that inheritance is broken in the locallow folder (since all the permissions now show duplicated inherited settings from the parent 'LocalLow' directory).

• Edited by Paul_M_Jones Wednesday, March 18, 2015 9:43 PM More Information