Need help about group policy & File Folders permissions

Dear Experts,

I have installed Win 2003 and installed role of DC on it. There is another Server also Win 2003 installed along with ISA server.

When in AD Server I make change to group policy that prohibit access to control panel and make command for group policy refresh. I have observed that on client machines the Control Panel disappears, this is fine but what is going on is that in AD Server itself, On ISA Server computer the same condition is also applying, control panel also disappears from there, I don't want this, Please guide me for this. I want any conditions through group policy to be applied on windows XP machines only and not on servers.

Other question is, I need to basics of File and folder sharing and permissions, if any of you having good resource where I can study it. How to ensure that staff from one department should not see the shared folders of staff from other department. But employees from one department can share there information, such type of examples I want to implement in my environment, any good resource please?

Third question, in ISA how I can enforce authentication using information of WIindows Active Directory, example user A of AD can access website so and so, while user B from AD can not access those websites, similarly time restrictions based on information of active directory.

I will be waiting for your replies. I am new and willing to perform all this setup in my company.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
To share folders you must right click on the folder, choose sharing and security, sharing and sepecify a share name

When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.

If you want to prevent users seeing folder on which they dont have premissions you can use access based enumeration

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FemSteenkampIT managerCommented:
you can modify the SCOPE of the GPO, i.e. to who or what machines it apply

In your case the fileter will probably the operating system version to only apply it to specific operating system versions

an easier way might be to move all your XP machines you want to restrict to a specific OU and then apply the restrictions to just that OU.
Brian PiercePhotographerCommented:
As regards the implimetation of the GPO then the simplest way is to apply a policy to the Domain Controllers OU that disables the prohibiting of the control panel - since this is appled after the policy applied to the domain then on DCs the control panel will be visible on the DC.

You can apply a similar strategy to the other servers - create an OU called servers, move the computer accounts for servers into it and then apply the same disable prohibiting of control panel to that OU as well.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.