Permissions on filesystem via Group policy
- From: Slavik <Slavik@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Sep 2005 02:43:03 -0700
Hello,
I need to assign my permissions to the files in folder %systemroot%/inf, for
example - usbstor.inf and usbstor.png.
I do so:
On DC I opening Grop Policy, that contain test computer, that i want aply my
permissions:
Computer Configuratiuon / Windows Settings / Security Settings / File System
Right-click File System and press Add File.
Browse to the file (%systemroot%/inf/usbstor.inf), select it and press OK.
In Database Security for Domain Admins - full, System - full set the
permissions and press OK.
Check that I want to replace all permissions.
Then I loging on to test computer - gpupdate /force, and see file permission
on %systemroot%/inf/usbstor.inf. Permissions are not applayed as i describe
in GP.
What I do wrong?
Quote:
If we combine Mark Heitbrink's approach with the one outlined in knowledge
base article 823732, we get a more reliable solution. Firstly, we need to
prevent USBSTOR from being installed unless the currently logged on user is
allowed to use USB storage. We do that by restricting access to USBSTOR.INF
and USBSTORE.PNF in a GPO such that PNP can't automatically install the
driver. This is possible because when PNP installs a driver, the installation
is performed using the priviledges of the currently logged on user. Secondly,
we need to make sure that USBSTOR is not started when a USB storage device is
plugged in. For that we use Mark's ADM template. The only minor drawback of
my solution is that users with access to USB storage need to manually start
USBSTOR before connecting USB storage devices.
In Active Directory Users and Computers, open an existing GPO or create a
new one and open it. Use the security settings of that GPO to specify which
computers it affects.
In that GPO, go to Computer Configuration – Windows Settings – Security
Settings – File System and create a new entry (right-click File System and
select Add File). Specify the location of USBSTOR.INF (usually
SystemRoot%\Inf\USBSTOR.INF)
Change the security settings of the new entry. The security settings that
you specify here will be enforced on the USBSTOR.INF of every computer to
which the GPO is applied. This process is not additive, which means that the
previous security settings of USBSTOR.INF will be overwritten by the ones
given in the GPO. It is therefore recommended to grant full control to SYSTEM
and local administrators. But unlike in the default security settings of
USBSTOR.INF, you should not grant any priviledges to Everybody. You do not
need to explicitly deny access – just omit an entry for Everybody.
Optionally, you can grant read access to a certain group. Members of this
group will be able to use USB storage.
Repeat the above two steps for USBSTOR.PNF.
.
- Follow-Ups:
- Re: Permissions on filesystem via Group policy
- From: Steven L Umbach
- Re: Permissions on filesystem via Group policy
- Prev by Date: Re: GPO for Browser Elections
- Next by Date: Re: Computer Group not applying to GPO in security filtering
- Previous by thread: Re: GPO for Browser Elections
- Next by thread: Re: Permissions on filesystem via Group policy
- Index(es):
Relevant Pages
|
