Link to home
Start Free TrialLog in
Avatar of jrwade27
jrwade27Flag for United States of America

asked on

How use Group Policy or Powershell Script to set local drive permissions to Domain Users on XP Pro client in Windows 2003 Active Directory domain and push down to all files and folders

I am using Symantec Ghost to image some new computers.  Upon deployment I find that Domain Users have no local file permissions.  I am doing all of this remotely.  I would like to use Group Policy or script (Powershell preferred) to set drive c: including all child files and folders on the local XP Professional machines to Full for Domain Users security group in Active Directory in Windows 2003 domain.  Can someone please give me some direction as to how to accomplish this.  Scripted approach would be desireable since I can use a text file listing the new machines to ensure that the new machines are the only ones on which the operation will take place.  No domain users may have elevated or administrator rights other than myself on any of our client machines.  All work is save to folders on our servers but users need to have access to files in order to run some applications that require writing some temporary files to the local machines and they need to be able to have access to the Windows Temp file to clean up temporary files which build up and are not cleaned up well by some legacy applications.
SOLUTION
Avatar of BSonPosh
BSonPosh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jrwade27
jrwade27
Flag of United States of America image

ASKER

BsonPosh, that might do the job but I can't get the ACL from a remote computer's folder.  And I would want to save it so that I can use it on the other computers on which I must perform this task.  I have to install PowerShell on one of the new clients, set the permissions in the manner desired and then use this client as an additional "master" for updating the new machines I ghost.  Am I right in assuming that the ACL obtained with be in the form of an SID for Local Administrator account and therefore will not be machine specific when it gets set with the values piped to set-acl.  I tried to test this in my remote environment but the new machines went into standby (person on the other end was supposed to have changed that setting) in the middle of the second line of your recommended PowerShell commands.
Avatar of jrwade27
jrwade27
Flag of United States of America image

ASKER

McKnife, thanks.  These are good recommendations.  I'll research the second two more fully.  I am a very new user to Ghost Suite (v. 2.5) and after lengthy discussion with one of their upper tier support people I was told that I would have to set these permissions after the fact since the computer would be joined off the domain.  With over 3000 GPO settings for Windows 2003 and about the same for XP Pro I haven't found the right way to set this correctly in Group Policy yet.  I will drill down into the settings you have recommended and check that out.  The link in number 2 didn't work when I pasted it into IE7 but I'll be able to locate it with what you have given.
Avatar of BSonPosh
BSonPosh
Flag of United States of America image
I think you missed my point, or rather, my goal.

This is a one time (at least for each host) process where you would loop through each machine.

Set-ACL needs an ACL to apply that is the only purpose in the Get-ACL. You can point that to anything (that has the correct permissions.)

Regards to SIDS... the local Administrator/Administrators SIDs are the same on all machines.
Avatar of McKnife
McKnife
Flag of Germany image
ms-its:C:\WINDOWS\Help\ntcmds.chm::/Secedit_cmds.htm works on IE7.
Anyway, it's the help section for secedit, you will find it, at latest by using the command secedit /help
Avatar of jrwade27
jrwade27
Flag of United States of America image

ASKER

I must research secedit as well to understand how to use it properly.  I believe I will have to export a db from the computer that has the permissions set correctly and then use this one as the database to configure the others if I understand right what I could see very quickly from the secedit /help which I did have no trouble reaching.  Any idea on using Ghost Suite 2.5 correctly to take care of this at imaging or configuring after imaging.  Documentation is over 700 pages and I've been caught having to deploy these new computers with a shoulder surgery in the middle.  Appreciate your expert help.

BSonPosh, I was not able to obtain ACL remotely which is what i would have to do and the appproach failed to update one of the new computers when I tried it from the new client with Powershell installed.
Avatar of McKnife
McKnife
Flag of Germany image
You got the secedit idea perfectly right. About ghost: I don't know, I would need information on how permissions exactly are right now.
Avatar of jrwade27
jrwade27
Flag of United States of America image

ASKER

Thank you McKnife for the confirmation.  It is obvious that your expertise is much better than mine.  I appreciate your monitoring and accessibility.  It is very helpful.