How use Group Policy or Powershell Script to set local drive permissions to Domain Users on XP Pro client in Windows 2003 Active Directory domain and push down to all files and folders

I am using Symantec Ghost to image some new computers.  Upon deployment I find that Domain Users have no local file permissions.  I am doing all of this remotely.  I would like to use Group Policy or script (Powershell preferred) to set drive c: including all child files and folders on the local XP Professional machines to Full for Domain Users security group in Active Directory in Windows 2003 domain.  Can someone please give me some direction as to how to accomplish this.  Scripted approach would be desireable since I can use a text file listing the new machines to ensure that the new machines are the only ones on which the operation will take place.  No domain users may have elevated or administrator rights other than myself on any of our client machines.  All work is save to folders on our servers but users need to have access to files in order to run some applications that require writing some temporary files to the local machines and they need to be able to have access to the Windows Temp file to clean up temporary files which build up and are not cleaned up well by some legacy applications.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In Powershell this would be pretty simple if I understand you properly.

Get a folder set with the perms you want to set for everything.

If the script below acts as you expect remove the -whatif
$acl = Get-ACL C:\FolderWithCorrectPermissions
dir \\remotehost\c$ -rec -force | set-acl $acl -whatif

Open in new window

Different approaches:
1) Use ghost properly, this should not happen in the first place
2) use the secedit commandline tool to apply default permissions (via a security template), see ms-its:C:\WINDOWS\Help\ntcmds.chm::/Secedit_cmds.htm (paste into IE in winxp) - this is a script
3)Use domain policy to set rights: Policy - Comp.  config. - windows settings - security settings - file system

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jrwade27Author Commented:
BsonPosh, that might do the job but I can't get the ACL from a remote computer's folder.  And I would want to save it so that I can use it on the other computers on which I must perform this task.  I have to install PowerShell on one of the new clients, set the permissions in the manner desired and then use this client as an additional "master" for updating the new machines I ghost.  Am I right in assuming that the ACL obtained with be in the form of an SID for Local Administrator account and therefore will not be machine specific when it gets set with the values piped to set-acl.  I tried to test this in my remote environment but the new machines went into standby (person on the other end was supposed to have changed that setting) in the middle of the second line of your recommended PowerShell commands.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jrwade27Author Commented:
McKnife, thanks.  These are good recommendations.  I'll research the second two more fully.  I am a very new user to Ghost Suite (v. 2.5) and after lengthy discussion with one of their upper tier support people I was told that I would have to set these permissions after the fact since the computer would be joined off the domain.  With over 3000 GPO settings for Windows 2003 and about the same for XP Pro I haven't found the right way to set this correctly in Group Policy yet.  I will drill down into the settings you have recommended and check that out.  The link in number 2 didn't work when I pasted it into IE7 but I'll be able to locate it with what you have given.
I think you missed my point, or rather, my goal.

This is a one time (at least for each host) process where you would loop through each machine.

Set-ACL needs an ACL to apply that is the only purpose in the Get-ACL. You can point that to anything (that has the correct permissions.)

Regards to SIDS... the local Administrator/Administrators SIDs are the same on all machines.
ms-its:C:\WINDOWS\Help\ntcmds.chm::/Secedit_cmds.htm works on IE7.
Anyway, it's the help section for secedit, you will find it, at latest by using the command secedit /help
jrwade27Author Commented:
I must research secedit as well to understand how to use it properly.  I believe I will have to export a db from the computer that has the permissions set correctly and then use this one as the database to configure the others if I understand right what I could see very quickly from the secedit /help which I did have no trouble reaching.  Any idea on using Ghost Suite 2.5 correctly to take care of this at imaging or configuring after imaging.  Documentation is over 700 pages and I've been caught having to deploy these new computers with a shoulder surgery in the middle.  Appreciate your expert help.

BSonPosh, I was not able to obtain ACL remotely which is what i would have to do and the appproach failed to update one of the new computers when I tried it from the new client with Powershell installed.
You got the secedit idea perfectly right. About ghost: I don't know, I would need information on how permissions exactly are right now.
jrwade27Author Commented:
Thank you McKnife for the confirmation.  It is obvious that your expertise is much better than mine.  I appreciate your monitoring and accessibility.  It is very helpful.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.