Can you control workstation file permissions through 2003 ..

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I need to control file permissions on workstation files within a particular
folder and with a particular extension on Windows XP SP1 systems in a Windows
2003 domain. For example, I need the members of a particular group to have
read/write access only to files in the C:\APPS folder with the extension
..wld. Is this something I could do from a DC without having to change the
permissions locally on every system? It looks like I can do it only on the
server files.

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Byron wrote:

> I need to control file permissions on workstation files within a
> particular folder and with a particular extension on Windows XP
> SP1 systems in a Windows 2003 domain. For example, I need the
> members of a particular group to have read/write access only to
> files in the C:\APPS folder with the extension .wld. Is this
> something I could do from a DC without having to change the
> permissions locally on every system? It looks like I can do it
> only on the server files.
Hi,

It is not possible to use Group Policy to set permission on files with
the .wld extension without specifying each and every file name as well
(including the path).

A couple of options:


1)
If you have a defined list of possible file names (including path), you
can use a GPO to set NTFS permissions on the files:

Computer Configuration\Windows Settings\Security Settings\File System

Right click on "File System" and select "Add File..."

You can use variables in your entry's such %SystemDrive% %ProgramFiles%
and so on.


2)
If you don't have a list of possible file names, you can configure a
computer startup script that e.g. uses cacls.exe to set permission on
all *.wld in the C:\APPS folder. This will then be done each time the
computer starts up.

A computer startup script (started with a GPO) runs as part of the
boot up process (before the user logs in). It runs under the system
context and has admin rights.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/s [...] fault.mspx