Re: Folder Security sporadically working

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Frankly I am surprised that you are seeing the %UserProfile%\Desktop
part get applied correctly at all. GPO based filesystem permissions are
a Computer level policy, applied by the system without access to the
user's session and value of %UserProfile%
Perhaps you should look into why it seems like it works sometimes ?!!
You might want to approach this via a startup or shutdown script that
looks at the existing dirs just under Documents and Settings and does
a test/set of each one's Desktop folder.


"theta12" <theta12@xxxxxxxxx> wrote in message
news:1184359193.437958.11260@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm trying to lock down the desktop folder of all users on machines by
OU. Because of the complexity of our organization, desktop folder
redirection, mandatory profiles and roaming profiles are not an option
so I went with a File Security GPO via Active Directory for
simplicity. I'm trying to set the permissions for domain users and
not local users. The GPO sets file rights on the following folders:

%AllUsersProfile%\Desktop
%SystemDrive%\Documents and Settings\Default User\Desktop
%UserProfile%\Desktop

When I look at my pc's, the All User's and Default User folders have
the correct file permissions set on them. However, the UserProfile
\Desktop sometimes works and sometimes doesn't. My understanding was
that when a new profile is created, it should make a copy of default
user profile and apply that. Even if that's not the case and the
account already exists, when the PC boots up it should at least set
file permissions on one of the user's desktop folders (I'm assuming
the last cached value in the registry) but even that doesn't work. I
can't seem to figure out a rhyme or reason why it does or does not
apply the %userprofile% file security. I'll reboot a machine 10 times
and it will never apply the security to any user profiles but I'll
reboot the machine right next to that one and it will apply the
security correctly.

All PC's are XP SP2 on a Windows 2003 domain, are all part of the same
OU, and patched to the same level. There is no firewall on the pc's
either. All my other policies are applying correctly so I know it's
not a rights issue, connectivity issue or network issue. There are no
errors in any of the event logs. What am I missing?



.

Relevant Pages

  • Re: Desktop security
    ... Mandatory roaming profiles may be one solution. ... permissions on the desktop folder in their user profiles under my documents ... and settings so that they have only read/list/execute permissions and are ...
    (microsoft.public.win2000.security)
  • Re: Problem with roaming profles
    ... So, verify the permissions, while everyone's logged out: ... At the parent profile folder, Administrators is the owner (not the ... roaming profiles not being found at logon. ...
    (microsoft.public.windows.server.sbs)
  • Re: Loopback Processing
    ... As long as loopback is set in one GPO, ... >to be set in any other GPO that falls with the hierarchy? ... >why does it still apply the User Configuration settings. ... >>computer provided it has permissions to the GPO's. ...
    (microsoft.public.windows.group_policy)
  • Re: dns administration delegation
    ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ... these admins full access to their local dns servers (which are also domain ...
    (microsoft.public.windows.server.dns)
  • Re: dns administration delegation
    ... I'm more concerned about these admins to have the ... early in the deployment of DNS servers and then seldom if every ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ...
    (microsoft.public.windows.server.dns)