?
Solved

Microsoft Windows Server 2003 Active Directory - Setting Local Machine Permissions via Group Policy

Posted on 2008-06-09
14
Medium Priority
?
740 Views
Last Modified: 2013-12-04
Hello Everyone,

What I'm trying to do is basically have an Active Directory user log in and authenticate with the server and after the successful login, have a policy that sets a Local machine permission to "Everyone" to read/execute on a specific Local directory, ie C:\Program Files\System\Printfiles.

Is this possible at all, or do I have to manually administrate each local machine and set effective permissions on the directory of each machine?  

As a note:  The software we use to manage our inventoryrequires full permissions on specific directories to be able to view reports and print them as well.  The Printfiles folder must have read/execute to view the reports.

Thanks In Advanvce,

Chris


permissions.bmp
0
Comment
Question by:Chris James
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 16

Expert Comment

by:gurutc
ID: 21745335
Hi,

Is this specific folder going to be shared?  That's one way to do it.  Set the permissions on the folder to everyone, and then during the login process, run the command line 'net share' command to enable shared access to the folder and to set the share permissions.

To check out this functionality, go to a command prompt and type NET SHARE /?

Then, when the user logs out, you can use the NET SHARE command to delete the share.

Good Luck,
- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745371
Hi again,

In addition, the net share command now includes the Grant feature for permissions.  

See this at:

http://windowsitpro.com/article/articleid/93427/the-net-share-command-in-windows-server-2003-adds-the-grant-of-share-permissions.html

You can put the scripting for the share manipulation in the login and logoff scripts.  Note that you'll have to add these servers to the Active Directory for this to be done most easily, but that still isn't mandatory.

Good Luck,
- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745487
The folder that I want to set permissions to is on a local machine.  actually, its on each individual client machine we have here on the network.  We have an application that manages the inventory print files and we need to be able to add permissions to the local install directory of C:\Program Files\System\Printfiles, not on the server.

Is what you are suggesting going to work with local permissions?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 16

Expert Comment

by:gurutc
ID: 21745555
Hi again,

If you make sure that the login script runs for a user that has rights, then this method will allow setting permissions of Everyone for a shared folder, even if it's a local session.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745593
Let me see if I am understanding you correctly, so for example I have an OU in Active Directory with users, and I can add a GPO logon script to execute the net share command on a specific directory, ie C:\Program Files\DDI System\inForm\Printfiles and add their read/execute permissions on the local machine they are using, right?

I'm not sure how to use the net share, I looked in the link you've provided but am getting confused.

so is it... "net share sharename=C:\Program Files\DDI System\inForm\Printfiles .... and then what?

0
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 21745602
I just thought I would add my comment to this question. Personally, I would not use scripting to achieve this. It would be much easier to use the built-in method in Group Policy to change the file system permissions on that folder. For ease of configuration, just give the Domain Users group Full Control in the GPO.

More information on setting the permissions through GPO can be found at http://windowsitpro.com/article/articleid/82361/jsi-tip-8724-how-can-i-use-group-policy-to-set-file-system-andor-registry-permissions.html. From what I can see in your case, this will be a LOT easier than having a script do this for you - when it's got built-in support, why overcomplicate it!?
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745629
Tigermatt, that is EXACTLY what I was looking for, I am going to see if it works now.  I will let you know if it is successful.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745742
I have applied the following permissions and set "Everyone" on the directory "C:\Program Files\DDI System\inForm\Printfiles"

Does this look right to you?  did I select the correct setting for the inheritance?
So far the policy hasn't applied yet.  I guess I have to wait a bit for it to apply.
permissions2.bmp
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745845
Cool looking solution!  I'm schooled it it works too.

- gurutc
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745863
so far mine still hasn't applied yet, still waiting :s
0
 
LVL 16

Expert Comment

by:gurutc
ID: 21745886
Hi,

It would be

net share printfiles="C:\Program Files\DDI System\inForm\Printfiles" /GRANT:everyone,FULL

If you did it that way.

- gurutc
0
 
LVL 4

Author Closing Comment

by:Chris James
ID: 31465482
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution.
0
 
LVL 4

Author Comment

by:Chris James
ID: 21745981
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution, "Tigermatt" and thank you everyone for your help.  Much appreciated.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21746259
Unless you restart a workstation and give time for a policy to apply down, you have to run gpupdate /force for GPO changes to be downloaded. The /force command forcing all settings which are the same to be resync-ed too.

Good to hear it worked!
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question