PC Review


Reply
Thread Tools Rate Thread

Setting directory permissions

 
 
Bonno Bloksma
Guest
Posts: n/a
 
      10th Apr 2009
Hi,

For a login log file on the local machine to track some login problem I need
to have a C:\Temp\ directory where all domain users have read and write
permissions.
The C:\Temp directory exists as the login script creates it when it's not
there. The problem starts when a diffirent users logs on to a machine a does
not have the right to append to the existing logfile in C:\Temp

I have a Domain test policy assigned to an OU with a few users and computers
in them
I have created an entry Computer configuration, Windows settings, Security
settings, File system, where %SystemDrive%\Temp is defined.
I selected C:\Temp but the Policy manager keeps changing it to
%SystemDrive%\Temp but as that is the same... what the heck.

Properties are Configure this file or folder item, Replace existing
permissions..... and when I go to Edit security I see MACHINENAME\Users with
alle rights set except Full Control.
So on this machine the rights are as they are supposed to be and the policy
knows about it

When I log on to a machine in the Test OU the rights for the C:\Temp
directory do NOT change. Nor do they after several reboots and gpupate
/force attempts.

Entries in this Test policy in the User Configuration part do seem to work
so maybe I need to do something to get the Computer part working. And no...
it is not disabled. ;-)

Do I need to give the computers read rights to the policy or does the SYSTEM
entry take care of that? If I need to add the Domain Computers group with
Read rights then the defaults don't make sense. That way a Computer policy
could never work without changing the default rights.

How can I troubleshoot this?

Bonno


 
Reply With Quote
 
 
 
 
Marcin
Guest
Posts: n/a
 
      11th Apr 2009
Bonno,
make sure that computer accounts that reside in the Test OU have Read and
Apply Group Policy permissions to the GPO in question.
Use RSOP.msc or gpresult to verify that the policy settings actually are
applied to the target computers...

hth
Marcin

"Bonno Bloksma" <(E-Mail Removed)> wrote in message
news:49df2a4a$0$187$(E-Mail Removed)4all.nl...
> Hi,
>
> For a login log file on the local machine to track some login problem I
> need to have a C:\Temp\ directory where all domain users have read and
> write permissions.
> The C:\Temp directory exists as the login script creates it when it's not
> there. The problem starts when a diffirent users logs on to a machine a
> does not have the right to append to the existing logfile in C:\Temp
>
> I have a Domain test policy assigned to an OU with a few users and
> computers in them
> I have created an entry Computer configuration, Windows settings, Security
> settings, File system, where %SystemDrive%\Temp is defined.
> I selected C:\Temp but the Policy manager keeps changing it to
> %SystemDrive%\Temp but as that is the same... what the heck.
>
> Properties are Configure this file or folder item, Replace existing
> permissions..... and when I go to Edit security I see MACHINENAME\Users
> with alle rights set except Full Control.
> So on this machine the rights are as they are supposed to be and the
> policy knows about it
>
> When I log on to a machine in the Test OU the rights for the C:\Temp
> directory do NOT change. Nor do they after several reboots and gpupate
> /force attempts.
>
> Entries in this Test policy in the User Configuration part do seem to work
> so maybe I need to do something to get the Computer part working. And
> no... it is not disabled. ;-)
>
> Do I need to give the computers read rights to the policy or does the
> SYSTEM entry take care of that? If I need to add the Domain Computers
> group with Read rights then the defaults don't make sense. That way a
> Computer policy could never work without changing the default rights.
>
> How can I troubleshoot this?
>
> Bonno
>
>



 
Reply With Quote
 
 
 
 
Paul Bergson [MVP-DS]
Guest
Posts: n/a
 
      13th Apr 2009
Have you run RSOP and verified that this is actually setup correctly? This
policy is set to apply at boot up it sounds like, since you have it in the
computer configuration. Are the computers that you want this to apply
against in this OU?

You should grant the machines in the OU that the gpo is applied against read
and apply. I may have misunderstood but to me it sounds like you don't have
this configured correctly.

I would set this up to be on the users OU:
User Configuration \ Windows Settings \ Scripts (Logon/Logoff) \ Logon



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Bonno Bloksma" <(E-Mail Removed)> wrote in message
news:49df2a4a$0$187$(E-Mail Removed)4all.nl...
> Hi,
>
> For a login log file on the local machine to track some login problem I
> need to have a C:\Temp\ directory where all domain users have read and
> write permissions.
> The C:\Temp directory exists as the login script creates it when it's not
> there. The problem starts when a diffirent users logs on to a machine a
> does not have the right to append to the existing logfile in C:\Temp
>
> I have a Domain test policy assigned to an OU with a few users and
> computers in them
> I have created an entry Computer configuration, Windows settings, Security
> settings, File system, where %SystemDrive%\Temp is defined.
> I selected C:\Temp but the Policy manager keeps changing it to
> %SystemDrive%\Temp but as that is the same... what the heck.
>
> Properties are Configure this file or folder item, Replace existing
> permissions..... and when I go to Edit security I see MACHINENAME\Users
> with alle rights set except Full Control.
> So on this machine the rights are as they are supposed to be and the
> policy knows about it
>
> When I log on to a machine in the Test OU the rights for the C:\Temp
> directory do NOT change. Nor do they after several reboots and gpupate
> /force attempts.
>
> Entries in this Test policy in the User Configuration part do seem to work
> so maybe I need to do something to get the Computer part working. And
> no... it is not disabled. ;-)
>
> Do I need to give the computers read rights to the policy or does the
> SYSTEM entry take care of that? If I need to add the Domain Computers
> group with Read rights then the defaults don't make sense. That way a
> Computer policy could never work without changing the default rights.
>
> How can I troubleshoot this?
>
> Bonno
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: ultimate: permissions permissions permissions... Colon Terminus Windows Vista General Discussion 0 14th Apr 2008 07:14 PM
Setting File & Directory Permissions To Stop Inadvertant File Movement Bob Huntley Windows XP General 0 29th Jun 2006 07:14 PM
Setting file/directory permissions =?Utf-8?B?U3RldmUgQnVnZGVu?= Microsoft Dot NET Framework 2 26th Mar 2005 12:05 AM
Setting Outlook Permissions with Active Directory? mmayhew Microsoft Windows 2000 Active Directory 3 19th Mar 2005 08:19 AM
Setting default permissions in Active Directory Jon Paskett Microsoft Windows 2000 Active Directory 1 8th Feb 2004 11:45 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 12:37 AM.