Solved

Via GPO add local group to ACL for a file

Posted on 2010-09-10
3
548 Views
Last Modified: 2012-06-21
On each domain member PC there is a local group called "specialUsers". They each have their own local SID as they were created with a locally run script. The group contains domain groups and domain users and local users.

We want to give that group permissions on a file local to that PC. For example, give it "deny full control" to "file1.txt" so that if you're a local user in that group or a domain user in the domain group which is a member of that local group, you cannot do anything to that file, even read it's contents.

Via GPO we have lots of file security permissions. We have common SID users and groups having or being denied access (like Administrators, Remote Desktop Users, SYSTEM, etc). If I back up the GPO and go to the GptTmpl.inf file I can see these ACL's listed under [File Security].

However I can't figure out how to create an entry that sets permissions to that local file on eac pc to the local group on that PC. I can't copy and paste one of the file entry lines and put in the SID of the local group because that SID doesn't exist on other PCs, only that one. I can't put just the display name instead of the SID (such as "Special Users" because when you try to restore that gpttmpl file or import it, it errors out.

Anyone have an idea on how to via group policy force each pc to add certain restrictions to a file for the same local group name even though the SIDs are different?

Thanks.
0
Comment
Question by:MrSampsonite
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 33663208
Would you be willing to use GPO to fire off a batch file?  If so, you could use the icacls command like to do this very easily:

icacls file1.txt  /deny specialUsers:F

Source for icacls, if you need it: http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx 
0
 

Author Comment

by:MrSampsonite
ID: 33772403
It looks like your solution may be the only option. Thanks for the link.
0
 

Author Closing Comment

by:MrSampsonite
ID: 33772407
only solution given was to create a batch file as it appears impossible via gpo.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now