Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How use Group Policy or Powershell Script to set local drive permissions to Domain Users on XP Pro client in Windows 2003 Active Directory domain and push down to all files and folders

Posted on 2008-11-10
9
Medium Priority
?
1,396 Views
Last Modified: 2013-12-12
I am using Symantec Ghost to image some new computers.  Upon deployment I find that Domain Users have no local file permissions.  I am doing all of this remotely.  I would like to use Group Policy or script (Powershell preferred) to set drive c: including all child files and folders on the local XP Professional machines to Full for Domain Users security group in Active Directory in Windows 2003 domain.  Can someone please give me some direction as to how to accomplish this.  Scripted approach would be desireable since I can use a text file listing the new machines to ensure that the new machines are the only ones on which the operation will take place.  No domain users may have elevated or administrator rights other than myself on any of our client machines.  All work is save to folders on our servers but users need to have access to files in order to run some applications that require writing some temporary files to the local machines and they need to be able to have access to the Windows Temp file to clean up temporary files which build up and are not cleaned up well by some legacy applications.
0
Comment
Question by:jrwade27
  • 4
  • 3
  • 2
9 Comments
 
LVL 18

Assisted Solution

by:BSonPosh
BSonPosh earned 200 total points
ID: 22922955
In Powershell this would be pretty simple if I understand you properly.

Get a folder set with the perms you want to set for everything.

If the script below acts as you expect remove the -whatif
$acl = Get-ACL C:\FolderWithCorrectPermissions
dir \\remotehost\c$ -rec -force | set-acl $acl -whatif

Open in new window

0
 
LVL 58

Accepted Solution

by:
McKnife earned 1800 total points
ID: 22925294
Different approaches:
1) Use ghost properly, this should not happen in the first place
2) use the secedit commandline tool to apply default permissions (via a security template), see ms-its:C:\WINDOWS\Help\ntcmds.chm::/Secedit_cmds.htm (paste into IE in winxp) - this is a script
3)Use domain policy to set rights: Policy - Comp.  config. - windows settings - security settings - file system
0
 

Author Comment

by:jrwade27
ID: 22925361
BsonPosh, that might do the job but I can't get the ACL from a remote computer's folder.  And I would want to save it so that I can use it on the other computers on which I must perform this task.  I have to install PowerShell on one of the new clients, set the permissions in the manner desired and then use this client as an additional "master" for updating the new machines I ghost.  Am I right in assuming that the ACL obtained with be in the form of an SID for Local Administrator account and therefore will not be machine specific when it gets set with the values piped to set-acl.  I tried to test this in my remote environment but the new machines went into standby (person on the other end was supposed to have changed that setting) in the middle of the second line of your recommended PowerShell commands.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:jrwade27
ID: 22925428
McKnife, thanks.  These are good recommendations.  I'll research the second two more fully.  I am a very new user to Ghost Suite (v. 2.5) and after lengthy discussion with one of their upper tier support people I was told that I would have to set these permissions after the fact since the computer would be joined off the domain.  With over 3000 GPO settings for Windows 2003 and about the same for XP Pro I haven't found the right way to set this correctly in Group Policy yet.  I will drill down into the settings you have recommended and check that out.  The link in number 2 didn't work when I pasted it into IE7 but I'll be able to locate it with what you have given.
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 22925459
I think you missed my point, or rather, my goal.

This is a one time (at least for each host) process where you would loop through each machine.

Set-ACL needs an ACL to apply that is the only purpose in the Get-ACL. You can point that to anything (that has the correct permissions.)

Regards to SIDS... the local Administrator/Administrators SIDs are the same on all machines.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 22925496
ms-its:C:\WINDOWS\Help\ntcmds.chm::/Secedit_cmds.htm works on IE7.
Anyway, it's the help section for secedit, you will find it, at latest by using the command secedit /help
0
 

Author Closing Comment

by:jrwade27
ID: 31515271
I must research secedit as well to understand how to use it properly.  I believe I will have to export a db from the computer that has the permissions set correctly and then use this one as the database to configure the others if I understand right what I could see very quickly from the secedit /help which I did have no trouble reaching.  Any idea on using Ghost Suite 2.5 correctly to take care of this at imaging or configuring after imaging.  Documentation is over 700 pages and I've been caught having to deploy these new computers with a shoulder surgery in the middle.  Appreciate your expert help.

BSonPosh, I was not able to obtain ACL remotely which is what i would have to do and the appproach failed to update one of the new computers when I tried it from the new client with Powershell installed.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 22925817
You got the secedit idea perfectly right. About ghost: I don't know, I would need information on how permissions exactly are right now.
0
 

Author Comment

by:jrwade27
ID: 22925865
Thank you McKnife for the confirmation.  It is obvious that your expertise is much better than mine.  I appreciate your monitoring and accessibility.  It is very helpful.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question