Home > Group Policy > Set NTFS folder permissions using GPO

Set NTFS folder permissions using GPO

Okay… so… todays posts isn’t something big and all rewamping of how you should do your daily tasks however it’s a small piece of advice on how to get business running again should you encounter a specific situation.

Imagine the following case; You and your collegaues around different departments have been hard at work making the entire setup for your new customer.
Servers has been in-sourced, client computers has been changed to meet new standards and a new Windows 7 image has been created with some of their business critical applications directly integrated while SCCM is configured to take care of the rest of the deployment once the right users logs in for the first time.
Your colleagues in the Remote Desktop Services department has even setup 50 new RDS servers in a special Home Workspace setup. Everything is tested and has been found to work beautifully.

Monday comes and the customer starts working on the new system but just as they fire up one of their business critical applications it crashes – for all of the users.

You discover that this is all due to incorrect NTFS permissions on the applications folder. The application is, sadly, installed directly in the image for all the client computers and even on the RDS servers.

Of course the image and the RDS servers setup needs to be corrected and repacked but this won’t solve the current incident for all teh users right now.

You could of course create a script and / or use cacls.exe to set the right permissions on the folder BUT let me show another neat trick you can do with Group Policy Objects directly through GUI.

Here’s a Step By Step guide to how you can do this.

1. Go to Start >“Search Programs and files”.

2. Type GPMC.msc and hit enter.

Please see Figure 1 for an image corresponding to the above steps.

NTFS folder permissions 1

Figure 1: Open GPMC

3. Go to the Group Policy Objects folder.

4. Right click and select “New”.

Please see Figure 2 for an image corresponding to the above steps.

NTFS folder permissions 2

Figure 2: Create a new GPO

5. Give the new GPO a good name so it’s easy to identify later on.

6. Click “OK”.

Please see Figure 3 for an image corresponding to the above steps.

NTFS folder permissions 3

Figure 3: Give the GPO a *good* name (Do not use the one in the example)

7. Edit the GPO and browse to the following location within:
Computer Configuration > Policies > Windows Settings > Security Settings > File System.

8. Right click at “File System” and click “Add File…”.

Please see Figure 4 for an image corresponding to the above steps.

NTFS folder permissions 4

Figure 4: Go to the File System part and select New

9. Select the application folder at the correct file system position.
If the application folder doesn’t exist at the computer you’re using simply create the folder at the correct place and select that.

10. Click the “OK” button.

Please see Figure 5 for an image corresponding to the above steps.

NTFSfolderpermissions5

Figure 5: Select or create the needed folder

11. You’ll now be presented with a Security window for the selected folder.
You should verify the permissions shown in the window before you proceed to the next step.

12. In our example we’ll add the “Domain Users” group to the security permissions. Do this by selecting the “Add” button.

Please see Figure 6 for an image corresponding to the above steps.

NTFS folder permissions 6

Figure 6: The Security window will appear

13. Type “Domain Users” into the “Enter the object names to select” field.

14. Select the “OK” button.

15. Select “Domain Users” and set the needed permissions. Here we have added Allow::Modify.
Your setup might need a whole lot of other permissions – this is only shown as an example and you should verify that all the permissions is setup as needed in your environment.

16. When done simply selct the “OK” button.

Please see Figure 7 for an image corresponding to the above steps.

NTFS folder permissions 7

Figure 7: Edit the security permissions

17. The “Add Object” window will now appear where you’ll have to make the final decision on how the permissions should be set upon the subfolders and files in regards to inheritable permissions on the files and folders.

18. When done simply selct the “OK” button.

Please see Figure 8 for an image corresponding to the above steps.

NTFS folder permissions 8

Figure 8: Select the appropriate settings

19. Once you’re through you’ll be presented with a view more or less identical to Figure 9.
All you need now is to link the GPO to the correct OU in the Group Policy Management Console and if you’re not using the User part of the GPO, it should be disabled just to keep things as they should be.

NTFS folder permissions 9

Figure 9: Done! You're Now a Hero!

I hope you enjoyed this little guide on how to save the day. I look forward to read your comments :-)

About these ads
Categories: Group Policy
  1. March 25, 2014 at 11:46 PM

    Geez that only saved me like 20 hours of grueling tedious work. I think ill run a muck for a while. Thanks Dude!!!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 252 other followers

%d bloggers like this: