Use a GPO to give read-access to local file system on multiple servers

Posted on 2006-06-01
Medium Priority
Last Modified: 2008-02-01
We have hundreds of servers in our environment and I want to give certain support personnel read only access to the C:\ and D:\ volumes.  I want to create a local group on servers that need this named 'ProductionSupport' and insert domain accounts into this group.  This way if I need to give developers read access to a new server all I need to do is create a local ProductionSupport group and add members to the group.  My question is how do I setup my GPO?  

When I go into Group Policy Management from my workstation, memberserver or domain controller for that matter and navigate to:Computer Configuration\Windows Settings\Security Settings\File System and click Add File, I am only able to add domain groups.  

Is there a way to add the 'ProductionSupport' group so it is exists locally on any server in the domain the GPO will grant members of this local group read access to the local file systems?

Question by:bangia_v

Expert Comment

ID: 16811294

Do you want a seperate group for each server or one group that will give the same permissions, to every group member, for all servers? ie

" I want to give certain support personnel read only access to the C:\ and D:\ volumes." on all servers or only certain personel on certain servers.



LVL 16

Expert Comment

by:Joseph Nyaema
ID: 16815032
You can only create local groups on member servers (not domain controllers) using lusrmgr.msc
that on a member server is go to

LVL 70

Expert Comment

ID: 16815850
would power users work just as a suggestion?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 16816179
Unfortunately they can't be power users.  I figured it out last night however.  Here's how I did it:

Using my local desktop, Group Policy Management and two servers. (let's call them server_a and server_b) I created a local group on each of the servers called ProductionSupport.  I created a domain group called CRMSupport and put a test_user into it.  I then nested CRMSupport into the ProductionSupport group on both servers.

On my desktop (let's call it desktop)I created a local group called ProductionSupport.  Using Group Policy Management (from my desktop) I created and linked a new GPO to the OU where server_a and server_b were located.  

Inside GP management, I navigated to Computer Configuration\Windows Settings\Security Settings\File System and then gave the 'DESKTOP\ProductionSupport' local group read/execute rights to C:\ and D:\.  The only local groups available to me were ones on my own machine.  

I waited about an hour and when I logged into server_a and server_b as test_user (I did also add CRMSupport to the Remote Desktop Users group on both servers) the test_users account was granted read/execute to both the C:\ and D:\ volumes.  

I had no idea this would work.  I thought that since I was assigning read/execute to DESKTOP\ProductionSupport via GPO that only this local group on my machine would have these rights.  It turns out that as long as a local group exists on the server in question (has to be the same name) it doesn't matter that the SID's are different.  

Again I haven't seen any documentation from MS that this should work but I did get it to work last night.  I'm going to try expand it to other servers today.
LVL 70

Expert Comment

ID: 16816337
:) clever you.

Accepted Solution

CetusMOD earned 0 total points
ID: 17022948
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question