Can you control workstation file permissions through 2003 ..

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I need to control file permissions on workstation files within a particular
folder and with a particular extension on Windows XP SP1 systems in a Windows
2003 domain. For example, I need the members of a particular group to have
read/write access only to files in the C:\APPS folder with the extension
..wld. Is this something I could do from a DC without having to change the
permissions locally on every system? It looks like I can do it only on the
server files.
1 answer Last reply
More about control workstation file permissions 2003
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Byron wrote:

    > I need to control file permissions on workstation files within a
    > particular folder and with a particular extension on Windows XP
    > SP1 systems in a Windows 2003 domain. For example, I need the
    > members of a particular group to have read/write access only to
    > files in the C:\APPS folder with the extension .wld. Is this
    > something I could do from a DC without having to change the
    > permissions locally on every system? It looks like I can do it
    > only on the server files.
    Hi,

    It is not possible to use Group Policy to set permission on files with
    the .wld extension without specifying each and every file name as well
    (including the path).

    A couple of options:


    1)
    If you have a defined list of possible file names (including path), you
    can use a GPO to set NTFS permissions on the files:

    Computer Configuration\Windows Settings\Security Settings\File System

    Right click on "File System" and select "Add File..."

    You can use variables in your entry's such %SystemDrive% %ProgramFiles%
    and so on.


    2)
    If you don't have a list of possible file names, you can configure a
    computer startup script that e.g. uses cacls.exe to set permission on
    all *.wld in the C:\APPS folder. This will then be done each time the
    computer starts up.

    A computer startup script (started with a GPO) runs as part of the
    boot up process (before the user logs in). It runs under the system
    context and has admin rights.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
Ask a new question

Read More

Workstations Permissions Windows XP