Group Policy is keeps removing IUSR_Computername from a folders permissions

I am running Trend Micro Antivirus for SMB on a Windows 2003 R2 SP2 server in a native 2003 Active Directory environment. I inherited a very poorly setup active directory environment in which the previous sys admin used the default domain policy for all his hacks. The default domain policy seems to remove the IUSR_computername account from the security permission tab on a folder located in C:\Program Files\Trend Micro\Security Server\PCCSRV\TEMP directory. The IUSR_Computername account needs R/W/Modify permissions to this folder in order for the Trend Security Dashboard to function properly. I re add the permissions but every time the policy refreshes its gone completely. While I can move the server to another OU and block the default domain policy and it does not get removed, I would really like to find out what setting is removing it in my default domain policy. Please Help!!!!
ritch578Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ametzlerCommented:
Have you checked for entries in File System under Computer Configuration --> Windows Settings --> Security Settings in Group Policy?
0
ritch578Author Commented:
Yes, I but it has so many entries that I think I overlooked the C:/Program Files entry. Will removing this entry  stop the local IUSR_computername account from being deleted on my file two directories down from the Program Files directory?  Is it normal to have well over a hundred entries in the File system tab for a default domain policy? Example attached in word file






2003-GP-File-System-tab.doc
0
ametzlerCommented:
I believe the File system entries works like Restricted Groups entries. That is, if there is an entry, ONLY those users or groups specified will be allowed on the ACL/DACL. Removing any entry for that folder will allow you to set permissions on the server manually.

By default there are no entries in there. As a matter of management, I personally prefer not to have all my policies in the default domain policy. I prefer to have descriptive policies. So, it's only normal if that's the way tha admin set it up. It's certainly easier to lump everything into one policy..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.