Solved

Microsoft Windows Server 2003 Active Directory - Setting Local Machine Permissions via Group Policy

Posted on 2008-06-09
14
736 Views
Last Modified: 2013-12-04
Hello Everyone,

What I'm trying to do is basically have an Active Directory user log in and authenticate with the server and after the successful login, have a policy that sets a Local machine permission to "Everyone" to read/execute on a specific Local directory, ie C:\Program Files\System\Printfiles.

Is this possible at all, or do I have to manually administrate each local machine and set effective permissions on the directory of each machine?  

As a note:  The software we use to manage our inventoryrequires full permissions on specific directories to be able to view reports and print them as well.  The Printfiles folder must have read/execute to view the reports.

Thanks In Advanvce,

Chris


permissions.bmp
0
Comment
Question by:Chris James
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 16

Expert Comment

by:gurutc
ID: 21745335
Hi,

Is this specific folder going to be shared?  That's one way to do it.  Set the permissions on the folder to everyone, and then during the login process, run the command line 'net share' command to enable shared access to the folder and to set the share permissions.

To check out this functionality, go to a command prompt and type NET SHARE /?

Then, when the user logs out, you can use the NET SHARE command to delete the share.

Good Luck,
- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745371
Hi again,

In addition, the net share command now includes the Grant feature for permissions.  

See this at:

http://windowsitpro.com/article/articleid/93427/the-net-share-command-in-windows-server-2003-adds-the-grant-of-share-permissions.html

You can put the scripting for the share manipulation in the login and logoff scripts.  Note that you'll have to add these servers to the Active Directory for this to be done most easily, but that still isn't mandatory.

Good Luck,
- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745487
The folder that I want to set permissions to is on a local machine.  actually, its on each individual client machine we have here on the network.  We have an application that manages the inventory print files and we need to be able to add permissions to the local install directory of C:\Program Files\System\Printfiles, not on the server.

Is what you are suggesting going to work with local permissions?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 16

Expert Comment

by:gurutc
ID: 21745555
Hi again,

If you make sure that the login script runs for a user that has rights, then this method will allow setting permissions of Everyone for a shared folder, even if it's a local session.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745593
Let me see if I am understanding you correctly, so for example I have an OU in Active Directory with users, and I can add a GPO logon script to execute the net share command on a specific directory, ie C:\Program Files\DDI System\inForm\Printfiles and add their read/execute permissions on the local machine they are using, right?

I'm not sure how to use the net share, I looked in the link you've provided but am getting confused.

so is it... "net share sharename=C:\Program Files\DDI System\inForm\Printfiles .... and then what?

0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21745602
I just thought I would add my comment to this question. Personally, I would not use scripting to achieve this. It would be much easier to use the built-in method in Group Policy to change the file system permissions on that folder. For ease of configuration, just give the Domain Users group Full Control in the GPO.

More information on setting the permissions through GPO can be found at http://windowsitpro.com/article/articleid/82361/jsi-tip-8724-how-can-i-use-group-policy-to-set-file-system-andor-registry-permissions.html. From what I can see in your case, this will be a LOT easier than having a script do this for you - when it's got built-in support, why overcomplicate it!?
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745629
Tigermatt, that is EXACTLY what I was looking for, I am going to see if it works now.  I will let you know if it is successful.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745742
I have applied the following permissions and set "Everyone" on the directory "C:\Program Files\DDI System\inForm\Printfiles"

Does this look right to you?  did I select the correct setting for the inheritance?
So far the policy hasn't applied yet.  I guess I have to wait a bit for it to apply.
permissions2.bmp
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745845
Cool looking solution!  I'm schooled it it works too.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745863
so far mine still hasn't applied yet, still waiting :s
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745886
Hi,

It would be

net share printfiles="C:\Program Files\DDI System\inForm\Printfiles" /GRANT:everyone,FULL

If you did it that way.

- gurutc
0
 
LVL 4

Author Closing Comment

by:Chris James
ID: 31465482
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745981
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution, "Tigermatt" and thank you everyone for your help.  Much appreciated.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21746259
Unless you restart a workstation and give time for a policy to apply down, you have to run gpupdate /force for GPO changes to be downloaded. The /force command forcing all settings which are the same to be resync-ed too.

Good to hear it worked!
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question