Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

GPO-Copy ini file to Program Files on XP

Posted on 2012-09-14
14
Medium Priority
?
2,324 Views
Last Modified: 2012-09-26
Using GPO on a 2008 R2 enterprise server, I am trying to push an INI file to a folder within "Program Files".  I have tried using the Computer Config-->Preferences-->Windows Settings-->Files to create the source/destination path and selecting the Replace option (I've also tried the Create option).

Source: \\10.254.254.9\Files\Test-taker\RHS-TESTTKR\TestTkr.ini
Destination: c:\Program Files\TestTkr\TestTkr.ini

I've also tried using the User Config-->Preferences-->Windows Settings-->Files to create the source/destination path selecting Replace and Run in Logged-on security....

Neither of these options work.  I'm certain the source path has the correct permissions/rights because if I create the folder and file to a non-existent folder at the root of c:, it creates the file (ie: Destination: c:\test\TestTkr\thisIZtheTest.ini).  I've gone so far as to give full control to Domain Computers and Domain users on the share.  These groups are also added to the advanced share permissions with full Control.

In the event log I get the Event ID 4098, stating the user TestTkr.ini preference item in the 'GPOTesttkr file{######}' group policy object did not apply because it failed with the error code 0x80070005  Access Denied.

Note: I've applied the security patch Windows-KB943729-x86-ENU.exe

Any thoughts on getting this file to copy down would be greatly appreciated.
0
Comment
Question by:RichfieldTech
  • 7
  • 4
  • 3
14 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 38401436
So, just a few information:
I created your scenario...
iniuser.ini and inicomputer.ini on a DC
Added share to the containing folder - permissions everyone read
Set a user and a computer policy
Preferences file
Source \\MYDC\MyShare\user.ini (computer.ini)
Target: C:\Program Files\Test\user.ini (computer.ini)
replace
Made sure, the policy is applied...

For an admin user, both files (user / computer) are applied.
For a simple domain user, both files (user / computer) are applied.

Tested with clean install on Win7
Win7 and W2008 R2 fully patched.
Folder didn't exist

So, either the client can not find the files, don't have permissions to read them
or the permissions on the C.\Program files folder (client) are not the default permissions?
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38401606
The normal way to push things to either protected folders or the local machine's registry is to use a STARTUP script which run as the local system account and have the permissions necessary.
0
 

Author Comment

by:RichfieldTech
ID: 38405285
Bembi: The computer I am using (XP Pro) is a fresh install with all default settings.  So, I am certain the permissions have not been tampered with.  I am not having issues with Windows 7 machines.

DavisMcCarn; Do you have more info or a link on pushing files via startup script?  We just migrated from Novell to Microsoft this summer and I am figuring these things out as I go.  The stuff I read indicated the method I'm using should work.  If you have a tried and true method I am happy to try it here.

Thanks!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38405417
Startup scripts: http://technet.microsoft.com/en-us/library/cc779329(v=ws.10).aspx
And all you need is a BAT file with:
COPY <source> <destination>
EXIT
0
 

Author Comment

by:RichfieldTech
ID: 38405660
Running a batch file does not seem to work for a test user nor the local admin account.

The batch reads:

Copy "\\10.254.254.9\SystemFiles\Test-taker\RHS-TESTTKR\TestTkr.ini"  "c:\Program Files\TestTkr\thisIZtheTest.ini"

I created this as a computer policy: Computer Config-->Policies-->Windows Settings-->Startup.
For security filtering, I added the computer group and the user.

I tested the bat file while logged in as a local admin and it does pull the file down.
I've also confirmed that domain computers and Domain users have read/execute permissions to the share (source).

When I run GP Results on the GPMC, I receive the following message relative to the Startup Script:
The following errors were encountered:
An unknown error occurred while data was gathered for this extension. Details: Not found.

For academics, I tried this as a logon Script only to get the same results and message.

Thanks.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 38405881
Have a look here...
http://www.microsoft.com/en-us/download/details.aspx?id=3628

Windows XP does not take all of the newer extensions of Win 2008 (R2) policies.
You may have to install this update.
0
 

Author Comment

by:RichfieldTech
ID: 38405929
This patch has been applied.  I did mention that in my original post as I know this is an issue with 2008 R2.  Thanks though.
0
 

Author Comment

by:RichfieldTech
ID: 38406019
It seems, if I make the user a local administrator, the file will copy.  This is a very bad solution as this is an environment for state testing for K-12 students.  My goal is to create a secure testing environment and this solution completely negates my efforts.


Testing starts Thursday--so I am seriously under the gun here.  Any other ideas will be eagerly entertained.  Thanks!
0
 
LVL 35

Expert Comment

by:Bembi
ID: 38415032
So just tested the same with a normal user on a XP SP3 machine (GPO extensions installed).
Both files are there, the file from the machine policy as well as from the user policy...

The user is just a user, no admin right, neither in the domain nor on the local machine....

I come back, either the policy is not taken by the client, or there are no permissions on the share, which is used as the source in the policy.

The only difference is, taht on localized WinXP machines the path is created exactly like stated in the policy while Win7 takes the correct path.
0
 

Author Comment

by:RichfieldTech
ID: 38415048
The share is correct.  If I change the path from program files to another folder (test), the files copy.  This tells me the share permissions are correct.  The XP install is a fresh install of XP pro with no modifications (I did it myself).

In the event log I get the Event ID 4098, stating the user TestTkr.ini preference item in the 'GPOTesttkr file{######}' group policy object did not apply because it failed with the error code 0x80070005  Access Denied.

If I make the user a local administrator, it works.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 38415258
Ok so far...
My test machine is a virtual Win XP SP3 with GPO client extensions installed, two month old and fully patched....  

So, just to make sure the different possibilities...
I changed the policy for the real "programs files" folder. The permissions on this is
Admin & System: Full
User: Read
Poseruser: read / write
Creator / Owner: special
which are XP Default.

The user I use never was logged on, just gave him permissions for remote desktop, so he is in the remote desktop user group and beside this in the default domain user group. I tested the effective rights, and it shows only read permissions for this user...
The files are created correctly in the program files folder, nevertheless this user don't have permissions. Even if I disable the machine policy, so that the user policy has to create the folder.
That means, it work in general...

Additionally found this...
http://support.microsoft.com/kb/314494/en-us

Also, are there any other restrictions for that computer / user defined in the policies?

Also some reading points me to the evveryone group. As the machine policy as well as the sysvol directory has to be read before the user logs in, the everyone permission hast to set at least to read. For the share AND for the path on the server.
Sysvol seems to be ok, as long as any policy can be applied.

And on the client side, the policy is applied at local system as long as not running in the user context ((user) policy setting)
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38416112
The startup script may be failing because it tries to execute before the network stack has been fully built.  Check this: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/2a2175bf-132f-46c2-bc5a-4c67932141e2/
0
 

Accepted Solution

by:
RichfieldTech earned 0 total points
ID: 38422865
Firewall.  Solved my own problem.  Thanks for your replies.
0
 

Author Closing Comment

by:RichfieldTech
ID: 38435935
!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question