File System Security Settings

[LinearX]

I've been manually setting file system permissions for a long time, and I'd like to be able to do this with GPO. In looking at a GPO object, I see under Computer Configuration the following: Windows Settings -> Security Settings -> File System. I'm assuming that this allows me to specify a directory or group of directories and then apply a set of permissions to it/them.

So far I'm having miserable success at getting this to work (if, indeed, this is how it's supposed to function). I've tried every iteration of a file, directory, whether the permissions are propagated or replaced, etc. I'm sure that either I'm doing something simple that is incorrect, or I've a horrible misunderstanding as to how this is supposed to work.

I'd prefer to do it this way as opposed to writing a script with xcacls to do the file system permissions. Has anyone successfully gotten this to work? If so, what metod did you take and can you provide some insight?

[scottzaiss]

Check your event log on the client. I have run into a few different things that can cause issues with security settings, all of which have shown up there (it usually says 'Security settings not applied). If you can find anything in there, post your findings here and I'll take a look.

Scott

[LinearX]

One thing I discovered it that I cannot use wildcards (perhaps it's possible, but I can't figure it out).

The other thing that I'm not sure of is that under Security Filtering for the object, I didn't have the computer name in the list. I added it and and got rid of the wildcard entry that I was trying, and it started to work. I'm not 100% sure that the computer name (or group) has to be there for it to work or not.

Can you verify that?

[AdamV]

If "authenticated users" is in the filter list with read and apply, that includes all domain-joined computers.
(it would be better if this group were called "authenticated accounts" or something, but there it is)

So, if you do want to filter to only a few machines, untick the auth users boxes and add the computer names. If you have already targetted it closely (eg by OU) then you should not need to worry.

[stuarty]

I've been manually setting file system permissions for a long time, and I'd like to be able to do this with GPO. In looking at a GPO object, I see under Computer Configuration the following: Windows Settings -> Security Settings -> File System. I'm assuming that this allows me to specify a directory or group of directories and then apply a set of permissions to it/them.

So far I'm having miserable success at getting this to work (if, indeed, this is how it's supposed to function). I've tried every iteration of a file, directory, whether the permissions are propagated or replaced, etc. I'm sure that either I'm doing something simple that is incorrect, or I've a horrible misunderstanding as to how this is supposed to work.

I'd prefer to do it this way as opposed to writing a script with xcacls to do the file system permissions. Has anyone successfully gotten this to work? If so, what metod did you take and can you provide some insight?

Hi... I'm looking for help on setting file permissions via GPO too.

I can successfully set the permissions on folders via GPO but the issue I have is when I try to back the setting out by simply removing or unlinking the GPO.

The user or group that I have granted via the GPO is still there.

I think the following technet article suggests that this is normal behaviour but I'm not 100% sure and I'm hoping someone can help confirm.

How Security Settings Extension Works: Group Policy


" Persistence of Security Settings Policy
Security settings can persist even if a setting is no longer defined in the policy that originally applied it.

In Windows Server 2003 and Windows XP, security settings might persist in the following cases:

The setting has not been previously defined for the computer.


The setting is for a registry security object.


The settings are for a file system security object.


In Windows 2000, security settings might persist even if the setting is no longer defined in the GPO that originally applied it. All settings applied through local policy or through a Group Policy object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as “tattooing.”

Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.

On domain controllers running Windows Server 2003 or Windows 2000, all security settings persist."

I apprecaite that there are other ways of applying the settings but I really would prefer to do this via GPO.

What I really need is the ability to back-out the setting if required.

Thoughts?