Apply Group Policy to NTFS File System

[Guest]

Im trying to apply group policy to an application group I created to change NTFS permissions on a folder. I removed the Authenticated users ( also tried just setting only read and unchecked Apply Group Policy) and added the group to Read and Apply group policy. I set this policy on the domain level. I cant get it to work. Any thoughts

Thanks
Pace

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

Im trying to apply group policy to an application group I created to change NTFS permissions on a folder. I removed the Authenticated users ( also tried just setting only read and unchecked Apply Group Policy) and added the group to Read and Apply group policy. I set this policy on the domain level. I cant get it to work. Any thoughts?

Yeah, you're not understanding how Group Policy works. The GP settings
you're trying to apply (NTFS permissions), are Computer settings, not
User settings. That portion of a GPO is processed by computers not
users. Trying to filter this GPO by using a group containing user
accounts is going to accomplish exactly zero.

What exactly are you trying to accomplish here?

 

[Guest]

An application we have requires certain registry settings as well as NTFS permissions. Ive created a group adding all the users who use this application. When a user logs in that is a part of this group I want those permissions to apply. I know it is a Computer Configuration. If I apply this COmputer Configuration to Authenticated Users Group (which is considered a user) it will download the permissions when I log in as any user in the domain. But if I add a group or paticular user, it will not work. Ive even tried adding the computer to the application group and it will not pull the permissions for the computer.

 

[Steven L Umbach]

Try placing the [or a few test] users in an Organizational Unit instead and apply the
policy to a new GPO for that OU. Unless you configure otherwise, all other Group
Policy configuration from domain level, etc, will still be inherited and applied to
those users. Gpresult can then help troubleshoot the policy. I usually like to also
configure at least one other user configuration [like disable control panel/display]
setting for that GPO during the test to see if it works to help see if the GPO is
actually being applied and help determine if the problem is a configuration issue for
the custom policy such as the ntfs permissions you are trying to apply. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q250842&

Im trying to apply group policy to an application group I created to change NTFS

permissions on a folder. I removed the Authenticated users ( also tried just setting
only read and unchecked Apply Group Policy) and added the group to Read and Apply
group policy. I set this policy on the domain level. I cant get it to work. Any
thoughts?

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

An application we have requires certain registry settings as well as NTFS permissions. Ive created a group adding all the users who use this application. When a user logs in that is a part of this group I want those permissions to apply. I know it is a Computer Configuration. If I apply this COmputer Configuration to Authenticated Users Group (which is considered a user) it will download the permissions when I log in as any user in the domain. But if I add

a group or paticular user, it will not work. Ive even tried adding the computer to the application group and it will not pull the permissions for the computer.
You're still not understanding this correctly. Here are a few things to
consider:

1. Authenticated Users, regardless of what the name implies, also
includes computer accounts.

2. NTFS persmissions when assigned via Group Policy, are assigned to
computers, not users.

You're thinking about this all backward. What you really want to do is
to use Group Policy to push a set of Access Control Entries (ACEs) to
the computers on which this application is installed. These ACEs list
the group you've created, along with the permissions that they must be
granted.

You do not want this GPO to be processed by the users that need the NTFS
permissions, you need this GPO to be processed by the computers on which
this application is installed.

 

[Steven L Umbach]

After reading Paul's reply I realized that I was incorrect. You would need to place
the computers into the OU for the reasons he stated. Thanks Paul. --- Steve

Try placing the [or a few test] users in an Organizational Unit instead and apply the
policy to a new GPO for that OU. Unless you configure otherwise, all other Group
Policy configuration from domain level, etc, will still be inherited and applied to
those users. Gpresult can then help troubleshoot the policy. I usually like to also
configure at least one other user configuration [like disable control panel/display]
setting for that GPO during the test to see if it works to help see if the GPO is
actually being applied and help determine if the problem is a configuration issue for
the custom policy such as the ntfs permissions you are trying to apply. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q250842&

Im trying to apply group policy to an application group I created to change NTFS

permissions on a folder. I removed the Authenticated users ( also tried just setting
only read and unchecked Apply Group Policy) and added the group to Read and Apply
group policy. I set this policy on the domain level. I cant get it to work. Any
thoughts?

Thanks,
Pacer

 

[Paul Adare]

microsoft.public.win2000.security news group, Steven L Umbach

Try placing the [or a few test] users in an Organizational Unit instead and apply the
policy to a new GPO for that OU. Unless you configure otherwise, all other Group
Policy configuration from domain level, etc, will still be inherited and applied to
those users. Gpresult can then help troubleshoot the policy. I usually like to also
configure at least one other user configuration [like disable control panel/display]
setting for that GPO during the test to see if it works to help see if the GPO is
actually being applied and help determine if the problem is a configuration issue for
the custom policy such as the ntfs permissions you are trying to apply.

Since he's setting NTFS permissions, which are processed by computers,
and not users, it really doesn't matter in the least where his user
accounts are located.

 

[Paul Adare]

microsoft.public.win2000.security news group, Steven L Umbach

After reading Paul's reply I realized that I was incorrect. You would need to place
the computers into the OU for the reasons he stated. Thanks Paul.

No worries Steve. You've been gentle with me here in the past.

 

[Guest]

I appreciate all your help guys. We just integrated into 2000 and learning a lot of things as we go. Thanks a lot for the info.. Have a good Holiday!

 

[Guest]

One more question, can I add these computers that need the permissions to the Application group I created. Then set in the group plicy for it to apply only to that group? Or do I have to enter in all computers on the security tab of the Group policy that I want it to push to.

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

Have a good Holiday!

Thanks, but just as an FYI, contrary to popular belief, not everyone on
the Internet lives in the US. We had our Thanksgiving holiday in
October.

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

One more question, can I add these computers that need the permissions to the Application group I created. Then set in the group plicy for it to apply only to that group? Or do I have to enter in all computers on the security tab of the Group policy that I want it to push to.

You're still not getting it. I'll try an example.

Let's say that my application installs to C:\MyApp.

I have 100 users that run this application and they need to have Full
Control permissions on this folder.

This application is installed on 100 computers, and I don't want to have
to manually set the NTFS permissions on those 100 computers.

To simplify the assignment of permissions, I create a group called MyApp
Users and put the 100 user into that group.

Now I create a Group Policy object that defines the NTFS settings for C:
\MyApp such that the MyApp Users group is granted full control.

Now, at this point, if I link this GPO at the domain level, it will
apply to every computer in the domain. Only 100 of those computers
actually have the C:\MyApp folder though. The NTFS permissions on the C:
\MyApp folder on those 100 machines will be MyApp Users with Full
Control after the GPO is processed. Note that since this GPO contains
settings that are processed by computers, these settings will be applied
before anyone even logs into the computer. All of the rest of the
computers in the domain that do not have the C:\MyApps folder will
either ignore the settings, or they may try to process them and log an
error in the event log (can't recall which off the top of my head).

So, now you've got the correct NTFS permissions on the 100 machines that
have MyApp installed, and any of the users in the MyApp Users group will
be able to run the app, and no one else can.

To refine this somewhat, so that this GPO is only processed by the
computers that have MyApp installed, you have two options:

1. Move all of the computers that have this MyApp installed into a new
OU, and then link the GPO with the NTFS settings to that OU.

or

2. Create another group called MyApp Computers, add the 100 computer
accounts that need to process this GPO to that group. Keep the GPO
linked at the domain level. Remove Authenticated Users from the ACL of
this GPO, and add the MyApp Computers group, granting Read and Apply
Group Policy permissions. This way, no matter what OU the computers are
in that have MyApp installed, they will get this GPO, and due to the new
ACL, it will only be processed by computers whose accounts are in the
MyApp Computers group.

You really should read up on how Group Policy works. Microsoft has
excellent white papers on their web site, and on-line help is pretty
good as well.

 

[Guest]

I do understand now. I know I need to read up on this tool a lot more. Im going to get this going so I appreciate all your help