Via GPO add local group to ACL for a file
Posted on 2010-09-10
On each domain member PC there is a local group called "specialUsers". They each have their own local SID as they were created with a locally run script. The group contains domain groups and domain users and local users.
We want to give that group permissions on a file local to that PC. For example, give it "deny full control" to "file1.txt" so that if you're a local user in that group or a domain user in the domain group which is a member of that local group, you cannot do anything to that file, even read it's contents.
Via GPO we have lots of file security permissions. We have common SID users and groups having or being denied access (like Administrators, Remote Desktop Users, SYSTEM, etc). If I back up the GPO and go to the GptTmpl.inf file I can see these ACL's listed under [File Security].
However I can't figure out how to create an entry that sets permissions to that local file on eac pc to the local group on that PC. I can't copy and paste one of the file entry lines and put in the SID of the local group because that SID doesn't exist on other PCs, only that one. I can't put just the display name instead of the SID (such as "Special Users" because when you try to restore that gpttmpl file or import it, it errors out.
Anyone have an idea on how to via group policy force each pc to add certain restrictions to a file for the same local group name even though the SIDs are different?