Re: Permissions on filesystem via Group policy
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Sep 2005 09:06:30 -0500
Make sure that the computer that you want this to apply to is in the OU
where this Group Policy was applied. If it is a Windows XP/2003 computer you
can use the Resultant Set of Policy mmc snapin to see exactly what Group
Policy settings are being applied to it. For file system keep in mind that
you want to disable "inherited permissions" in the advanced page if you only
want the permissions you explicitly defined to apply to the file via file
system. --- Steve
"Slavik" <Slavik@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:79A84A8A-FE44-4B5C-A3E2-870AAB02E1F7@xxxxxxxxxxxxxxxx
> Hello,
> I need to assign my permissions to the files in folder %systemroot%/inf,
> for
> example - usbstor.inf and usbstor.png.
>
> I do so:
> On DC I opening Grop Policy, that contain test computer, that i want aply
> my
> permissions:
> Computer Configuratiuon / Windows Settings / Security Settings / File
> System
> Right-click File System and press Add File.
> Browse to the file (%systemroot%/inf/usbstor.inf), select it and press OK.
> In Database Security for Domain Admins - full, System - full set the
> permissions and press OK.
> Check that I want to replace all permissions.
> Then I loging on to test computer - gpupdate /force, and see file
> permission
> on %systemroot%/inf/usbstor.inf. Permissions are not applayed as i
> describe
> in GP.
> What I do wrong?
>
> Quote:
> If we combine Mark Heitbrink's approach with the one outlined in knowledge
> base article 823732, we get a more reliable solution. Firstly, we need to
> prevent USBSTOR from being installed unless the currently logged on user
> is
> allowed to use USB storage. We do that by restricting access to
> USBSTOR.INF
> and USBSTORE.PNF in a GPO such that PNP can't automatically install the
> driver. This is possible because when PNP installs a driver, the
> installation
> is performed using the priviledges of the currently logged on user.
> Secondly,
> we need to make sure that USBSTOR is not started when a USB storage device
> is
> plugged in. For that we use Mark's ADM template. The only minor drawback
> of
> my solution is that users with access to USB storage need to manually
> start
> USBSTOR before connecting USB storage devices.
>
> In Active Directory Users and Computers, open an existing GPO or create a
> new one and open it. Use the security settings of that GPO to specify
> which
> computers it affects.
> In that GPO, go to Computer Configuration - Windows Settings - Security
> Settings - File System and create a new entry (right-click File System and
> select Add File). Specify the location of USBSTOR.INF (usually
> SystemRoot%\Inf\USBSTOR.INF)
> Change the security settings of the new entry. The security settings that
> you specify here will be enforced on the USBSTOR.INF of every computer to
> which the GPO is applied. This process is not additive, which means that
> the
> previous security settings of USBSTOR.INF will be overwritten by the ones
> given in the GPO. It is therefore recommended to grant full control to
> SYSTEM
> and local administrators. But unlike in the default security settings of
> USBSTOR.INF, you should not grant any priviledges to Everybody. You do not
> need to explicitly deny access - just omit an entry for Everybody.
> Optionally, you can grant read access to a certain group. Members of this
> group will be able to use USB storage.
> Repeat the above two steps for USBSTOR.PNF.
>
>
>
>
>
.
- References:
- Permissions on filesystem via Group policy
- From: Slavik
- Permissions on filesystem via Group policy
- Prev by Date: Re: Software Restriction not working
- Next by Date: Re: Computer Group not applying to GPO in security filtering
- Previous by thread: Permissions on filesystem via Group policy
- Next by thread: Re: Windows Firewall Group Policy Settings
- Index(es):
Relevant Pages
|
