Group Policy Setting Owner

H

H

I have a set of files (everything in a subfolder) which
have rights set so that a group of users can access the
files (The folder has the same permissions etc set). The
owner on the files is administrator; domain or local no
matter. The permissions on the files state that domain
admins can have full control and that domain users (the
group in question) have modify rights with deny set for
other abilities, (delete sub folders etc, take
ownership...).

Everything is fine until the application, an old package
runs its database update (the files are the local copy of
the database). The files permissions and owner are then
changed according to who is logged in at the time. The
user will of course be a member of the domain users group.

This is bad because when another user loggs on they cannot
modify the files based on the changes that have occured
and so the application no longer works.

In resolve I wrote a group policy to resset the files on
every system running the application so that with a
restart or gp refresh they would return to their required
values.

When sitting at the system it is possible to refresh the
permissions on the files; for instance by going to the
parent folder and selecting the reset permissions on sub
items. However before this can be done it is required that
the ownership rights be taken back otherwise the
administrator account is not able to set the permissions
on some of the files.

So, for the group policy to run correctly and reset the
permissions I need to policy to first set the owner.

My problem!, is that I need to set the owner of the files
using a gp prior to setting permissions with a gp.

H.
 
C

Chriss3

There is a simply solution here I think.

Take use of the Policy setting File System
Computer Configuration\Windows Settings\Security Settings\File System

Allows an administrator to define access permissions (DACLs) and audit
settings (SACLs) for file system objects.

Don't let domain users have permission to change the ACL, then the
Application can't change ACL.

Apply they Permission to the particular folder using the policy setting
above.

For an example apply the follow permission for Authenticated Users.

Modify
Read & Execute
Read
Write

There is an option that you lose with out Full Control that is take owner
ship, well you can add this by using Special Permissions if needed.




--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top