User lost from ACL

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am running WinXP Pro SP2 in a Win2k Server Active Directory domain. I
recently installed a certain new application. When I tried to open the app
when logged on as a domain user it failed. I added the user to the NTFS
Access Control List for the folder containing the program files and give the
user Modify permission. The program starts fine with this condition set.

When I logon with the user account the next day the program starts and
performs normally. When I try to close the program I get errors and
ultimately have to use Task Manager to close the application.

When this occurs I find the user is no longer included in the NTFS ACL for
the folder containing the program files.

Why does the user disappear from the list of users given NTFS permissions?
 
Possibly you have Group Policy in the domain that is enforcing file
permissions on that folder or even it could be happening locally with a
security template that is being applied at startup or by schedule. You can
use the command rsop.msc in the run box to find out what Group Policy
settings are being applied to that domain computer and user. If there is a
group that has necessary access permissions to the folder you may want to
add the user to the group as long as he does not end up with excessive
permissions/powers on the computer or in the domain. --- Steve
 
Steve, thank you for the guidance. I ran rsop.msc and found the Domain
Security Policy setting was forcing folders in c:\program files to be changed
to the inheritable permissions of the parent folder.

I had been trying to set the permissions on the folder c:\program
files\<application> folder and the policy was apparently resetting the
permissions.

The only solution I have found is to give the user the permissions for the
entire c:\program files folder. I wonder if this is a reasonable practice.
 
You could either talk to the powers that be and remove the domain computer
from the influence of the Group Policy that is enforcing the permissions,
modify the permissions at the Group Policy level, or do what you are doing.
The user right now probably has excessive permissions to the program files
folder which is the least desirable option unless this particular user can
be trusted to not alter the contents of the program files folder. ---
Steve
 
Back
Top