+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Setting permissions with Group Policy in Technical; I've been using this for a while to set permissions for SIMS and it's fine but occasionally i encounter issues ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Setting permissions with Group Policy

    I've been using this for a while to set permissions for SIMS and it's fine but occasionally i encounter issues in different scenarios.

    I have a GPO that installs an application and sets folder permissions the problem is that sometimes it doesn't set the permissions unless i logon as an admin and run GPUPDATE /FORCE. If the folders are already there is seems to work first time but as the app is installing i suspect the policy is applying before the folder is created, i've even tried rebooting several times and logging on as an admin but it still doesn't apply until i run GPUPDATE /FORCE.

    Is the only way to get this to work to set the GPO to enforce?

    Using 2003 DC's and XP SP2 stations.

    Cheers.

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    How are you setting folder permissions by GPO? In all my sites where they run Sims, I configure permissions on a share called Sims, which is mapped as S:\ to users.

    As my permissions are setup correctly here, I don't have to apply permissions anywhere else.

    Could you explain more specifically what you're trying to achieve?

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Well as all of our users are restricted we have to run SIMSPERM.bat (what a name :-)) to allow write access to certain folders C:\Program Files\SIMS\SIMS .net being one. It also sets write access for a few reg entries if we don't run this SOLUS upgrades fail when run by a teacher.

    Our server share is T: but the permissions are fine there.

    I'm not too worried about SIMS as it works for that (which is confusing) it's for another app that i see the issue.

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    So presumably this SIMSPERM.bat file shares/creates the permissions for you?

    The way I go about it - for Admin users C:\ is visible from My Computer, because of Sims and other poorly written applications they have to use, but for Teachers, C:\ is hidden from My Computer.

    Try adding Domain Users as local administrators, using MMC instead of running that batch file.

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I think we're talking about different problems here.

    I'm not too worried about SIMS as it works for that (which is confusing) it's for another app that i see the issue.
    Try adding Domain Users as local administrators
    That is exactly what i try to avoid.

    SIMS works fine here, our teachers cannot SEE the C: drive it is hidden but they still need write permissions to that folder as the program runs under their security context.

    ------------------------------------------------------------------------------------

    The problem i want to discuss is about the GPO changes not applying sometimes (for other applications) unless i force the GPO, i would like to know if anyone has this feature working without having to force teh policy.
    Last edited by cookie_monster; 25th April 2008 at 02:41 PM.

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    You can change the rights on that folders using group policy using the below:

    GPO > Computer Config > Security Settings > File System

    Just add something like %PROGRAMFILES%\promissor and edit the applied permissions for it and its sub folders to give the appropriate group full access then you don't need to give them admin rights.



    Is this the way that you have been using cookie_monster, it should not require the running of the simsperm.bat or anything and should apply eventually (3 restarts) without forcing it via gpupdate we have it running successfully like this at one of my schools.
    Last edited by SYNACK; 10th September 2010 at 04:55 PM. Reason: fixed linked picture

  7. 2 Thanks to SYNACK:

    reggiep (10th September 2010), siuko (28th May 2010)

  8. #7
    jmcdermott's Avatar
    Join Date
    Feb 2008
    Location
    Cornwall
    Posts
    170
    Thank Post
    16
    Thanked 42 Times in 34 Posts
    Rep Power
    20
    i had the same problem of teachers logons failing to upgrade sims correctly, think i took the long route to solve it.

    I setup an msi that deploys a regedit to set the machine to auto logon to an administrators account then instead of running explorer.exe runs an vb app that runs sims waits for the logon screen to appear then sets all the reg edits back to normal then resets the machine.

    This is a little dodgy if the user knows too much about windows, they can bring up the task man and start explorer.exe and have administrators rights, but there is a time limit set for the sims install wich auto resets the machine if it is logged on too long.

  9. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    @SYNACK: that is exactly how i do it for SIMS and it works every time however this other folder (related to a different application) that i'm trying to apply settings to will not work. The policy is clearly there as if i logon and run gpupdate /force it applies straight away, however if i just keep logging on or rebooting it doesn't apply. I'm sure that at first the policy is applying before the folder is created but I can't see why it doesn't apply at netx reboot after the folder is created.

    I have rebooted a few times but i'm wondering if it doesn't do a full apply for another 90 mins.

    Cheers.
    Last edited by cookie_monster; 25th April 2008 at 03:10 PM.

  10. #9
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I'm not 100% sure about this but do the files have to reside on a domain controller in order to apply permissions through the File System settings in AD.

    I have always copied whatever directory or file to the server and then applied the permissions.

  11. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    @ cookie_monster - Is the folder created each time the machine is booted, also are you getting any warnings in the event log about policy refresh not being able to happen in the background. Is there anything in the way that the folder is created that would reset the permissions?

  12. #11
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    @ jsnetman: You can copy the file structure to the server but you can also create the settings on a workstation using the Security Configuration MMC and import them into Active Directory.


    @ SYNACK: No the software is installed by the same GPO and the folder remains after that. No errors at all in the even log.
    Also after i force the refresh and the policy does it's thing the NTFS permissions remain.


    I'm getting that friday feeling i think i'll continue this investigation on monday. Cheers all :-)
    Last edited by cookie_monster; 25th April 2008 at 03:42 PM.

  13. #12

    Join Date
    Dec 2005
    Posts
    521
    Thank Post
    34
    Thanked 86 Times in 76 Posts
    Rep Power
    39
    Quote Originally Posted by SYNACK View Post
    You can change the rights on that folders using group policy using the below:

    GPO > Computer Config > Security Settings > File System

    Just add something like %PROGRAMFILES%\promissor and edit the applied permissions for it and its sub folders to give the appropriate group full access then you don't need to give them admin rights.
    I know this is bringing up a long dead thread... but OMG THAT IS ONE USEFUL TIP!! Just helped me alot!! Thaaaaaaanks!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 19th September 2007, 02:02 PM
  2. Mass setting NTFS permissions
    By localzuk in forum Windows
    Replies: 7
    Last Post: 8th January 2007, 04:23 PM
  3. setting up group policy from scratch
    By projector1 in forum Windows
    Replies: 9
    Last Post: 6th October 2006, 02:57 PM
  4. Non-tech staff setting share permissions
    By ITWombat in forum How do you do....it?
    Replies: 26
    Last Post: 18th July 2006, 10:23 AM
  5. Replies: 4
    Last Post: 21st June 2006, 05:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •