Microsoft Windows Server 2003 Active Directory - Setting Local Machine Permissions via Group Policy

Hello Everyone,

What I'm trying to do is basically have an Active Directory user log in and authenticate with the server and after the successful login, have a policy that sets a Local machine permission to "Everyone" to read/execute on a specific Local directory, ie C:\Program Files\System\Printfiles.

Is this possible at all, or do I have to manually administrate each local machine and set effective permissions on the directory of each machine?  

As a note:  The software we use to manage our inventoryrequires full permissions on specific directories to be able to view reports and print them as well.  The Printfiles folder must have read/execute to view the reports.

Thanks In Advanvce,

Chris


permissions.bmp
LVL 4
Chris JamesAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:
I just thought I would add my comment to this question. Personally, I would not use scripting to achieve this. It would be much easier to use the built-in method in Group Policy to change the file system permissions on that folder. For ease of configuration, just give the Domain Users group Full Control in the GPO.

More information on setting the permissions through GPO can be found at http://windowsitpro.com/article/articleid/82361/jsi-tip-8724-how-can-i-use-group-policy-to-set-file-system-andor-registry-permissions.html. From what I can see in your case, this will be a LOT easier than having a script do this for you - when it's got built-in support, why overcomplicate it!?
0
 
gurutcCommented:
Hi,

Is this specific folder going to be shared?  That's one way to do it.  Set the permissions on the folder to everyone, and then during the login process, run the command line 'net share' command to enable shared access to the folder and to set the share permissions.

To check out this functionality, go to a command prompt and type NET SHARE /?

Then, when the user logs out, you can use the NET SHARE command to delete the share.

Good Luck,
- gurutc
0
 
gurutcCommented:
Hi again,

In addition, the net share command now includes the Grant feature for permissions.  

See this at:

http://windowsitpro.com/article/articleid/93427/the-net-share-command-in-windows-server-2003-adds-the-grant-of-share-permissions.html

You can put the scripting for the share manipulation in the login and logoff scripts.  Note that you'll have to add these servers to the Active Directory for this to be done most easily, but that still isn't mandatory.

Good Luck,
- gurutc
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Chris JamesAuthor Commented:
The folder that I want to set permissions to is on a local machine.  actually, its on each individual client machine we have here on the network.  We have an application that manages the inventory print files and we need to be able to add permissions to the local install directory of C:\Program Files\System\Printfiles, not on the server.

Is what you are suggesting going to work with local permissions?
0
 
gurutcCommented:
Hi again,

If you make sure that the login script runs for a user that has rights, then this method will allow setting permissions of Everyone for a shared folder, even if it's a local session.

- gurutc
0
 
Chris JamesAuthor Commented:
Let me see if I am understanding you correctly, so for example I have an OU in Active Directory with users, and I can add a GPO logon script to execute the net share command on a specific directory, ie C:\Program Files\DDI System\inForm\Printfiles and add their read/execute permissions on the local machine they are using, right?

I'm not sure how to use the net share, I looked in the link you've provided but am getting confused.

so is it... "net share sharename=C:\Program Files\DDI System\inForm\Printfiles .... and then what?

0
 
Chris JamesAuthor Commented:
Tigermatt, that is EXACTLY what I was looking for, I am going to see if it works now.  I will let you know if it is successful.
0
 
Chris JamesAuthor Commented:
I have applied the following permissions and set "Everyone" on the directory "C:\Program Files\DDI System\inForm\Printfiles"

Does this look right to you?  did I select the correct setting for the inheritance?
So far the policy hasn't applied yet.  I guess I have to wait a bit for it to apply.
permissions2.bmp
0
 
gurutcCommented:
Cool looking solution!  I'm schooled it it works too.

- gurutc
0
 
Chris JamesAuthor Commented:
so far mine still hasn't applied yet, still waiting :s
0
 
gurutcCommented:
Hi,

It would be

net share printfiles="C:\Program Files\DDI System\inForm\Printfiles" /GRANT:everyone,FULL

If you did it that way.

- gurutc
0
 
Chris JamesAuthor Commented:
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution.
0
 
Chris JamesAuthor Commented:
I had to do the gpupdate /force command to force the policy to take affect.  Thank you for the solution, "Tigermatt" and thank you everyone for your help.  Much appreciated.
0
 
tigermattCommented:
Unless you restart a workstation and give time for a policy to apply down, you have to run gpupdate /force for GPO changes to be downloaded. The /force command forcing all settings which are the same to be resync-ed too.

Good to hear it worked!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.