Re: Add custom local user to NTFS rights from GPO
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Apr 2007 21:38:05 -0700
For what it's worth, I suggest NOT using Local Groups at all. Domain groups can be directly applied in NTFS permissions.
A big reason for avoiding Local Groups is that there is no central way to find out which domain user accounts and domain groups are members of a local group (or directly including in a permission list either).
I suggest define a Domain group specifically for the permission set (e.g. Modify) to be applied to the resource (e.g. folder) and use that Domain group only for setting permissions on that resource. Then, populate the Domain group with domain user accounts or domain groups as appropriate. Then, you can find out using Active Directory Users and Computers which groups and thus user accounts have the granted permission on the resource. It also allows you to do the inverse - for a given user account find out what permissions they have to what no matter which computer the resource is on.
With Windows NT 4, group nesting was very limited and using Local Groups was required. With Windows 2000 and later, you only need to use Local Groups is if you are using local user accounts for some particular reason and the built-in Local Groups (e.g. Users, Power Users) are not adequate for the purpose.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"fpbear" <dontsendhere@xxxxxxxxxx> wrote in message news:u9M%23DJGfHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
I thought it would be possible to specify a generic custom local group when setting the NTFS rights in the File System section of the GPO. But when I type in the object it always resolves to the SID, i.e. it first checks to see that the object exists on a domain or target machine. I thought I could just do this by typing in a name and let the text string resolve during client processing of the GPO.
This method can be used with User Rights Assignment. You can just type in the name of a custom local group and it will match the display name during client processing of the GPO. There is no need to resolve to the SID with User Rights Assignment.
We need to do this because we would like to put all of the special NTFS permissions in the GPO, but the problem is that we are adding custom local group. It wouldn't make sense to browse to the target client machine and let it resolve as a SID because the custom local group will have a different SID on each target workstation.
Otherwise we'd have to set the NTFS lockdowns using the application's installer, but this doesn't make it as visible for security auditing purposes.
.
- Follow-Ups:
- Re: Add custom local user to NTFS rights from GPO
- From: fpbear
- Re: Add custom local user to NTFS rights from GPO
- References:
- Add custom local user to NTFS rights from GPO
- From: fpbear
- Add custom local user to NTFS rights from GPO
- Prev by Date: Re: domain security policy
- Next by Date: Re: GP Based on Machine and User.
- Previous by thread: Re: Add custom local user to NTFS rights from GPO
- Next by thread: Re: Add custom local user to NTFS rights from GPO
- Index(es):
Relevant Pages
|
