Setting directory permissions

Discussion in 'Microsoft Windows 2000 Active Directory' started by Bonno Bloksma, Apr 10, 2009.

  1. Hi,

    For a login log file on the local machine to track some login problem I need
    to have a C:\Temp\ directory where all domain users have read and write
    permissions.
    The C:\Temp directory exists as the login script creates it when it's not
    there. The problem starts when a diffirent users logs on to a machine a does
    not have the right to append to the existing logfile in C:\Temp

    I have a Domain test policy assigned to an OU with a few users and computers
    in them
    I have created an entry Computer configuration, Windows settings, Security
    settings, File system, where %SystemDrive%\Temp is defined.
    I selected C:\Temp but the Policy manager keeps changing it to
    %SystemDrive%\Temp but as that is the same... what the heck.

    Properties are Configure this file or folder item, Replace existing
    permissions..... and when I go to Edit security I see MACHINENAME\Users with
    alle rights set except Full Control.
    So on this machine the rights are as they are supposed to be and the policy
    knows about it

    When I log on to a machine in the Test OU the rights for the C:\Temp
    directory do NOT change. Nor do they after several reboots and gpupate
    /force attempts.

    Entries in this Test policy in the User Configuration part do seem to work
    so maybe I need to do something to get the Computer part working. And no...
    it is not disabled. ;-)

    Do I need to give the computers read rights to the policy or does the SYSTEM
    entry take care of that? If I need to add the Domain Computers group with
    Read rights then the defaults don't make sense. That way a Computer policy
    could never work without changing the default rights.

    How can I troubleshoot this?

    Bonno
     
    Bonno Bloksma, Apr 10, 2009
    #1
    1. Advertisements

  2. Bonno Bloksma

    Marcin Guest

    Bonno,
    make sure that computer accounts that reside in the Test OU have Read and
    Apply Group Policy permissions to the GPO in question.
    Use RSOP.msc or gpresult to verify that the policy settings actually are
    applied to the target computers...

    hth
    Marcin

    "Bonno Bloksma" <> wrote in message
    news:49df2a4a$0$187$4all.nl...
    > Hi,
    >
    > For a login log file on the local machine to track some login problem I
    > need to have a C:\Temp\ directory where all domain users have read and
    > write permissions.
    > The C:\Temp directory exists as the login script creates it when it's not
    > there. The problem starts when a diffirent users logs on to a machine a
    > does not have the right to append to the existing logfile in C:\Temp
    >
    > I have a Domain test policy assigned to an OU with a few users and
    > computers in them
    > I have created an entry Computer configuration, Windows settings, Security
    > settings, File system, where %SystemDrive%\Temp is defined.
    > I selected C:\Temp but the Policy manager keeps changing it to
    > %SystemDrive%\Temp but as that is the same... what the heck.
    >
    > Properties are Configure this file or folder item, Replace existing
    > permissions..... and when I go to Edit security I see MACHINENAME\Users
    > with alle rights set except Full Control.
    > So on this machine the rights are as they are supposed to be and the
    > policy knows about it
    >
    > When I log on to a machine in the Test OU the rights for the C:\Temp
    > directory do NOT change. Nor do they after several reboots and gpupate
    > /force attempts.
    >
    > Entries in this Test policy in the User Configuration part do seem to work
    > so maybe I need to do something to get the Computer part working. And
    > no... it is not disabled. ;-)
    >
    > Do I need to give the computers read rights to the policy or does the
    > SYSTEM entry take care of that? If I need to add the Domain Computers
    > group with Read rights then the defaults don't make sense. That way a
    > Computer policy could never work without changing the default rights.
    >
    > How can I troubleshoot this?
    >
    > Bonno
    >
    >
     
    Marcin, Apr 11, 2009
    #2
    1. Advertisements

  3. Have you run RSOP and verified that this is actually setup correctly? This
    policy is set to apply at boot up it sounds like, since you have it in the
    computer configuration. Are the computers that you want this to apply
    against in this OU?

    You should grant the machines in the OU that the gpo is applied against read
    and apply. I may have misunderstood but to me it sounds like you don't have
    this configured correctly.

    I would set this up to be on the users OU:
    User Configuration \ Windows Settings \ Scripts (Logon/Logoff) \ Logon



    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.


    "Bonno Bloksma" <> wrote in message
    news:49df2a4a$0$187$4all.nl...
    > Hi,
    >
    > For a login log file on the local machine to track some login problem I
    > need to have a C:\Temp\ directory where all domain users have read and
    > write permissions.
    > The C:\Temp directory exists as the login script creates it when it's not
    > there. The problem starts when a diffirent users logs on to a machine a
    > does not have the right to append to the existing logfile in C:\Temp
    >
    > I have a Domain test policy assigned to an OU with a few users and
    > computers in them
    > I have created an entry Computer configuration, Windows settings, Security
    > settings, File system, where %SystemDrive%\Temp is defined.
    > I selected C:\Temp but the Policy manager keeps changing it to
    > %SystemDrive%\Temp but as that is the same... what the heck.
    >
    > Properties are Configure this file or folder item, Replace existing
    > permissions..... and when I go to Edit security I see MACHINENAME\Users
    > with alle rights set except Full Control.
    > So on this machine the rights are as they are supposed to be and the
    > policy knows about it
    >
    > When I log on to a machine in the Test OU the rights for the C:\Temp
    > directory do NOT change. Nor do they after several reboots and gpupate
    > /force attempts.
    >
    > Entries in this Test policy in the User Configuration part do seem to work
    > so maybe I need to do something to get the Computer part working. And
    > no... it is not disabled. ;-)
    >
    > Do I need to give the computers read rights to the policy or does the
    > SYSTEM entry take care of that? If I need to add the Domain Computers
    > group with Read rights then the defaults don't make sense. That way a
    > Computer policy could never work without changing the default rights.
    >
    > How can I troubleshoot this?
    >
    > Bonno
    >
    >
     
    Paul Bergson [MVP-DS], Apr 13, 2009
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jon Paskett

    Setting default permissions in Active Directory

    Jon Paskett, Feb 6, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    338
    Matjaz Ladava [MVP]
    Feb 8, 2004
  2. Kevin Buchanan

    Security permissions bug or inheritant permissions??

    Kevin Buchanan, Jul 9, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    11
    Views:
    506
    Kevin Buchanan
    Jul 14, 2004
  3. mmayhew

    Setting Outlook Permissions with Active Directory?

    mmayhew, Mar 10, 2005, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    3
    Views:
    598
    Joe Richards [MVP]
    Mar 19, 2005
  4. Blue Frog

    When to user NTFS permissions and SHARE Permissions?

    Blue Frog, Apr 11, 2006, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    3
    Views:
    755
    Ken Aldrich
    Apr 13, 2006
  5. directory
    Replies:
    0
    Views:
    565
    directory
    Nov 12, 2007
Loading...

Share This Page