Applying File Security through GPO

  • Thread starter Thread starter Michel Lapointe
  • Start date Start date
M

Michel Lapointe

Hello,

I'm currently experimenting File Security deployement through GPO and I
have a small problem

Let say we have

C:\Share
C:\Share\Sub

If I assing NTFS right (always using GPO) to
C:\Share it work perfectly
C:\Share\Sub it work perfectly

If in the same GPO I assign different security for both folder,
C:\Share\Sub won't receive is security.

There is nothing in the winlogon.log file about the skip of C:\Share\Sub
policy

Does anyone is aware of such issue?

Thank

Michel Lapointe
 
Look at the settings for inheritance on the file/folder definitions.
This setting is not within the NTFS permissions dialog, but on
the way out while you are OK'ing. It sounds like you are having
the settings on x:\share overwrite those on the subfolder.
 
Thank that work however, it force you to define permission on every
subfolder if you want to make sure that it never get modifies since when
using Propagate inheritable permission option instead of Replace, it only
add the inehritable flags to the subfolder..

Also, do you have a good definition of "Do not allow permissions on this
file or folder to be replaced" the one in the help doesn't really explain
how it prevent permission to be replaced on this folder... is it only a
modification restriction by other GPO or is it more than that?

Thank

ML
 
My understanding is that the
Do not allow permissions . . . to be replaced
means that other settings _in_that_template_ will not flow
onto or into the area protected by a Do not allow . . .
In other words, if the template has a definition of security
to set on a higher directory, and it is set to propagate, then
using this on a definition for a subsection will exempt it
from having the template's application affect it.

As for your experiment with
C:\Share
C:\Share\Sub
when you make the definition for Sub you can in the NTFS
dialog indicate whether it will allow inheritables to flow
in upon it
when you make the definition for Share, on the way out you
need to not select Replace, but Propagate (which will only
propagate to the extent that the receiving allows inheritables
to be propagated onto it)
 
Back
Top