Group Policy question

Posted on 2009-02-17
Last Modified: 2012-05-06
Hi, im designing a new small network (Testing lab max 10 users). We have multiple software applications and im trying to protect certain files from being updated/changed by users. I'll try and explain that a little better. We use Tomcat for instance as our Webserver. Tomcat has a number of configuration files that hold key information like what port it should run on. I would like to make that config file read only to normal users and only the administrator can edit it, ie change the port number in the config file. I do not want to physically move the file to a seperate folder because tomcat needs it in a particular place. In some instances these files are updated by the software so they will need write access. Could anyone advise me how to do this
Question by:Jonesey007
    LVL 15

    Expert Comment

    You can create a startup script and assign it to the OU the workstations are in and use DSACLS.EXE (part of Windows Support Tools) to assign permissions.
    LVL 18

    Accepted Solution

    This sounds like just access permission and may not need get involve with group policy.
    You just need to set the permission READ to end users such as "everyone", "authenticated users", "domain users", or the "Users" of the server. The "Administrators" group of your server by default have full access to everything on your server and you should be fine. Now the question is when you said the file need write access during software update, if you as the administrator logged on to the server and do the software update, then it won't be a problem.
    Also, setting file level permission is usually high maintenance and as long as the software update do not delete and replace the file or rename it to something else, you should be fine. It just that some software upgrade do rename certain file and replace those file from time to time. If that's that case, I suggest you set the permission on the folder level to be safe.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now