Can you control workstation file permissions through 2003 GPO

[Guest]

I need to control file permissions on workstation files within a particular
folder and with a particular extension on Windows XP SP1 systems in a Windows
2003 domain. For example, I need the members of a particular group to have
read/write access only to files in the C:\APPS folder with the extension
..wld. Is this something I could do from a DC without having to change the
permissions locally on every system? It looks like I can do it only on the
server files.

 

[Torgeir Bakken \(MVP\)]

I need to control file permissions on workstation files within a
particular folder and with a particular extension on Windows XP
SP1 systems in a Windows 2003 domain. For example, I need the
members of a particular group to have read/write access only to
files in the C:\APPS folder with the extension .wld. Is this
something I could do from a DC without having to change the
permissions locally on every system? It looks like I can do it
only on the server files.

Hi,

It is not possible to use Group Policy to set permission on files with
the .wld extension without specifying each and every file name as well
(including the path).

A couple of options:


1)
If you have a defined list of possible file names (including path), you
can use a GPO to set NTFS permissions on the files:

Computer Configuration\Windows Settings\Security Settings\File System

Right click on "File System" and select "Add File..."

You can use variables in your entry's such %SystemDrive% %ProgramFiles%
and so on.


2)
If you don't have a list of possible file names, you can configure a
computer startup script that e.g. uses cacls.exe to set permission on
all *.wld in the C:\APPS folder. This will then be done each time the
computer starts up.

A computer startup script (started with a GPO) runs as part of the
boot up process (before the user logs in). It runs under the system
context and has admin rights.