jrwade27
asked on
How use Group Policy or Powershell Script to set local drive permissions to Domain Users on XP Pro client in Windows 2003 Active Directory domain and push down to all files and folders
I am using Symantec Ghost to image some new computers. Upon deployment I find that Domain Users have no local file permissions. I am doing all of this remotely. I would like to use Group Policy or script (Powershell preferred) to set drive c: including all child files and folders on the local XP Professional machines to Full for Domain Users security group in Active Directory in Windows 2003 domain. Can someone please give me some direction as to how to accomplish this. Scripted approach would be desireable since I can use a text file listing the new machines to ensure that the new machines are the only ones on which the operation will take place. No domain users may have elevated or administrator rights other than myself on any of our client machines. All work is save to folders on our servers but users need to have access to files in order to run some applications that require writing some temporary files to the local machines and they need to be able to have access to the Windows Temp file to clean up temporary files which build up and are not cleaned up well by some legacy applications.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
McKnife, thanks. These are good recommendations. I'll research the second two more fully. I am a very new user to Ghost Suite (v. 2.5) and after lengthy discussion with one of their upper tier support people I was told that I would have to set these permissions after the fact since the computer would be joined off the domain. With over 3000 GPO settings for Windows 2003 and about the same for XP Pro I haven't found the right way to set this correctly in Group Policy yet. I will drill down into the settings you have recommended and check that out. The link in number 2 didn't work when I pasted it into IE7 but I'll be able to locate it with what you have given.
I think you missed my point, or rather, my goal.
This is a one time (at least for each host) process where you would loop through each machine.
Set-ACL needs an ACL to apply that is the only purpose in the Get-ACL. You can point that to anything (that has the correct permissions.)
Regards to SIDS... the local Administrator/Administrato rs SIDs are the same on all machines.
This is a one time (at least for each host) process where you would loop through each machine.
Set-ACL needs an ACL to apply that is the only purpose in the Get-ACL. You can point that to anything (that has the correct permissions.)
Regards to SIDS... the local Administrator/Administrato
ms-its:C:\WINDOWS\Help\ntc mds.chm::/ Secedit_cm ds.htm works on IE7.
Anyway, it's the help section for secedit, you will find it, at latest by using the command secedit /help
Anyway, it's the help section for secedit, you will find it, at latest by using the command secedit /help
ASKER
I must research secedit as well to understand how to use it properly. I believe I will have to export a db from the computer that has the permissions set correctly and then use this one as the database to configure the others if I understand right what I could see very quickly from the secedit /help which I did have no trouble reaching. Any idea on using Ghost Suite 2.5 correctly to take care of this at imaging or configuring after imaging. Documentation is over 700 pages and I've been caught having to deploy these new computers with a shoulder surgery in the middle. Appreciate your expert help.
BSonPosh, I was not able to obtain ACL remotely which is what i would have to do and the appproach failed to update one of the new computers when I tried it from the new client with Powershell installed.
BSonPosh, I was not able to obtain ACL remotely which is what i would have to do and the appproach failed to update one of the new computers when I tried it from the new client with Powershell installed.
You got the secedit idea perfectly right. About ghost: I don't know, I would need information on how permissions exactly are right now.
ASKER
Thank you McKnife for the confirmation. It is obvious that your expertise is much better than mine. I appreciate your monitoring and accessibility. It is very helpful.
ASKER