Setting directory permissions


Bonno Bloksma


For a login log file on the local machine to track some login problem I need
to have a C:\Temp\ directory where all domain users have read and write
The C:\Temp directory exists as the login script creates it when it's not
there. The problem starts when a diffirent users logs on to a machine a does
not have the right to append to the existing logfile in C:\Temp

I have a Domain test policy assigned to an OU with a few users and computers
in them
I have created an entry Computer configuration, Windows settings, Security
settings, File system, where %SystemDrive%\Temp is defined.
I selected C:\Temp but the Policy manager keeps changing it to
%SystemDrive%\Temp but as that is the same... what the heck.

Properties are Configure this file or folder item, Replace existing
permissions..... and when I go to Edit security I see MACHINENAME\Users with
alle rights set except Full Control.
So on this machine the rights are as they are supposed to be and the policy
knows about it

When I log on to a machine in the Test OU the rights for the C:\Temp
directory do NOT change. Nor do they after several reboots and gpupate
/force attempts.

Entries in this Test policy in the User Configuration part do seem to work
so maybe I need to do something to get the Computer part working. And no...
it is not disabled. ;-)

Do I need to give the computers read rights to the policy or does the SYSTEM
entry take care of that? If I need to add the Domain Computers group with
Read rights then the defaults don't make sense. That way a Computer policy
could never work without changing the default rights.

How can I troubleshoot this?





make sure that computer accounts that reside in the Test OU have Read and
Apply Group Policy permissions to the GPO in question.
Use RSOP.msc or gpresult to verify that the policy settings actually are
applied to the target computers...




Paul Bergson [MVP-DS]

Have you run RSOP and verified that this is actually setup correctly? This
policy is set to apply at boot up it sounds like, since you have it in the
computer configuration. Are the computers that you want this to apply
against in this OU?

You should grant the machines in the OU that the gpo is applied against read
and apply. I may have misunderstood but to me it sounds like you don't have
this configured correctly.

I would set this up to be on the users OU:
User Configuration \ Windows Settings \ Scripts (Logon/Logoff) \ Logon

Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question