Solved

Microsoft Windows Server 2003 Active Directory - Setting Local Machine Permissions via Group Policy

Posted on 2008-06-09
14
723 Views
Last Modified: 2013-12-04
Hello Everyone,

What I'm trying to do is basically have an Active Directory user log in and authenticate with the server and after the successful login, have a policy that sets a Local machine permission to "Everyone" to read/execute on a specific Local directory, ie C:\Program Files\System\Printfiles.

Is this possible at all, or do I have to manually administrate each local machine and set effective permissions on the directory of each machine?  

As a note:  The software we use to manage our inventoryrequires full permissions on specific directories to be able to view reports and print them as well.  The Printfiles folder must have read/execute to view the reports.

Thanks In Advanvce,

Chris


permissions.bmp
0
Comment
Question by:Chris James
  • 7
  • 5
  • 2
14 Comments
 
LVL 16

Expert Comment

by:gurutc
ID: 21745335
Hi,

Is this specific folder going to be shared?  That's one way to do it.  Set the permissions on the folder to everyone, and then during the login process, run the command line 'net share' command to enable shared access to the folder and to set the share permissions.

To check out this functionality, go to a command prompt and type NET SHARE /?

Then, when the user logs out, you can use the NET SHARE command to delete the share.

Good Luck,
- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745371
Hi again,

In addition, the net share command now includes the Grant feature for permissions.  

See this at:

http://windowsitpro.com/article/articleid/93427/the-net-share-command-in-windows-server-2003-adds-the-grant-of-share-permissions.html

You can put the scripting for the share manipulation in the login and logoff scripts.  Note that you'll have to add these servers to the Active Directory for this to be done most easily, but that still isn't mandatory.

Good Luck,
- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745487
The folder that I want to set permissions to is on a local machine.  actually, its on each individual client machine we have here on the network.  We have an application that manages the inventory print files and we need to be able to add permissions to the local install directory of C:\Program Files\System\Printfiles, not on the server.

Is what you are suggesting going to work with local permissions?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745555
Hi again,

If you make sure that the login script runs for a user that has rights, then this method will allow setting permissions of Everyone for a shared folder, even if it's a local session.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745593
Let me see if I am understanding you correctly, so for example I have an OU in Active Directory with users, and I can add a GPO logon script to execute the net share command on a specific directory, ie C:\Program Files\DDI System\inForm\Printfiles and add their read/execute permissions on the local machine they are using, right?

I'm not sure how to use the net share, I looked in the link you've provided but am getting confused.

so is it... "net share sharename=C:\Program Files\DDI System\inForm\Printfiles .... and then what?

0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21745602
I just thought I would add my comment to this question. Personally, I would not use scripting to achieve this. It would be much easier to use the built-in method in Group Policy to change the file system permissions on that folder. For ease of configuration, just give the Domain Users group Full Control in the GPO.

More information on setting the permissions through GPO can be found at http://windowsitpro.com/article/articleid/82361/jsi-tip-8724-how-can-i-use-group-policy-to-set-file-system-andor-registry-permissions.html. From what I can see in your case, this will be a LOT easier than having a script do this for you - when it's got built-in support, why overcomplicate it!?
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745629
Tigermatt, that is EXACTLY what I was looking for, I am going to see if it works now.  I will let you know if it is successful.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745742
I have applied the following permissions and set "Everyone" on the directory "C:\Program Files\DDI System\inForm\Printfiles"

Does this look right to you?  did I select the correct setting for the inheritance?
So far the policy hasn't applied yet.  I guess I have to wait a bit for it to apply.
permissions2.bmp
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745845
Cool looking solution!  I'm schooled it it works too.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745863
so far mine still hasn't applied yet, still waiting :s
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745886
Hi,

It would be

net share printfiles="C:\Program Files\DDI System\inForm\Printfiles" /GRANT:everyone,FULL

If you did it that way.

- gurutc
0
 
LVL 4

Author Closing Comment

by:Chris James
ID: 31465482
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745981
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution, "Tigermatt" and thank you everyone for your help.  Much appreciated.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21746259
Unless you restart a workstation and give time for a policy to apply down, you have to run gpupdate /force for GPO changes to be downloaded. The /force command forcing all settings which are the same to be resync-ed too.

Good to hear it worked!
0

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now