We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Group Policy question

Medium Priority
Last Modified: 2012-05-06
Hi, im designing a new small network (Testing lab max 10 users). We have multiple software applications and im trying to protect certain files from being updated/changed by users. I'll try and explain that a little better. We use Tomcat for instance as our Webserver. Tomcat has a number of configuration files that hold key information like what port it should run on. I would like to make that config file read only to normal users and only the administrator can edit it, ie change the port number in the config file. I do not want to physically move the file to a seperate folder because tomcat needs it in a particular place. In some instances these files are updated by the software so they will need write access. Could anyone advise me how to do this
Watch Question

You can create a startup script and assign it to the OU the workstations are in and use DSACLS.EXE (part of Windows Support Tools) to assign permissions.
This sounds like just access permission and may not need get involve with group policy.
You just need to set the permission READ to end users such as "everyone", "authenticated users", "domain users", or the "Users" of the server. The "Administrators" group of your server by default have full access to everything on your server and you should be fine. Now the question is when you said the file need write access during software update, if you as the administrator logged on to the server and do the software update, then it won't be a problem.
Also, setting file level permission is usually high maintenance and as long as the software update do not delete and replace the file or rename it to something else, you should be fine. It just that some software upgrade do rename certain file and replace those file from time to time. If that's that case, I suggest you set the permission on the folder level to be safe.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.