I've been using this for a while to set permissions for SIMS and it's fine but occasionally i encounter issues in different scenarios.
I have a GPO that installs an application and sets folder permissions the problem is that sometimes it doesn't set the permissions unless i logon as an admin and run GPUPDATE /FORCE. If the folders are already there is seems to work first time but as the app is installing i suspect the policy is applying before the folder is created, i've even tried rebooting several times and logging on as an admin but it still doesn't apply until i run GPUPDATE /FORCE.
Is the only way to get this to work to set the GPO to enforce?
Using 2003 DC's and XP SP2 stations.
Cheers.
How are you setting folder permissions by GPO? In all my sites where they run Sims, I configure permissions on a share called Sims, which is mapped as S:\ to users.
As my permissions are setup correctly here, I don't have to apply permissions anywhere else.
Could you explain more specifically what you're trying to achieve?
Well as all of our users are restricted we have to run SIMSPERM.bat (what a name :-)) to allow write access to certain folders C:\Program Files\SIMS\SIMS .net being one. It also sets write access for a few reg entries if we don't run this SOLUS upgrades fail when run by a teacher.
Our server share is T: but the permissions are fine there.
I'm not too worried about SIMS as it works for that (which is confusing) it's for another app that i see the issue.
So presumably this SIMSPERM.bat file shares/creates the permissions for you?
The way I go about it - for Admin users C:\ is visible from My Computer, because of Sims and other poorly written applications they have to use, but for Teachers, C:\ is hidden from My Computer.
Try adding Domain Users as local administrators, using MMC instead of running that batch file.
I think we're talking about different problems here.
I'm not too worried about SIMS as it works for that (which is confusing) it's for another app that i see the issue.That is exactly what i try to avoid.Try adding Domain Users as local administrators
SIMS works fine here, our teachers cannot SEE the C: drive it is hidden but they still need write permissions to that folder as the program runs under their security context.
------------------------------------------------------------------------------------
The problem i want to discuss is about the GPO changes not applying sometimes (for other applications) unless i force the GPO, i would like to know if anyone has this feature working without having to force teh policy.
Last edited by cookie_monster; 25th April 2008 at 02:41 PM.
You can change the rights on that folders using group policy using the below:
GPO > Computer Config > Security Settings > File System
Just add something like %PROGRAMFILES%\promissor and edit the applied permissions for it and its sub folders to give the appropriate group full access then you don't need to give them admin rights.
Is this the way that you have been using cookie_monster, it should not require the running of the simsperm.bat or anything and should apply eventually (3 restarts) without forcing it via gpupdate we have it running successfully like this at one of my schools.
Last edited by SYNACK; 10th September 2010 at 04:55 PM. Reason: fixed linked picture
i had the same problem of teachers logons failing to upgrade sims correctly, think i took the long route to solve it.
I setup an msi that deploys a regedit to set the machine to auto logon to an administrators account then instead of running explorer.exe runs an vb app that runs sims waits for the logon screen to appear then sets all the reg edits back to normal then resets the machine.
This is a little dodgy if the user knows too much about windows, they can bring up the task man and start explorer.exe and have administrators rights, but there is a time limit set for the sims install wich auto resets the machine if it is logged on too long.
@SYNACK: that is exactly how i do it for SIMS and it works every time however this other folder (related to a different application) that i'm trying to apply settings to will not work. The policy is clearly there as if i logon and run gpupdate /force it applies straight away, however if i just keep logging on or rebooting it doesn't apply. I'm sure that at first the policy is applying before the folder is created but I can't see why it doesn't apply at netx reboot after the folder is created.
I have rebooted a few times but i'm wondering if it doesn't do a full apply for another 90 mins.
Cheers.
Last edited by cookie_monster; 25th April 2008 at 03:10 PM.
I'm not 100% sure about this but do the files have to reside on a domain controller in order to apply permissions through the File System settings in AD.
I have always copied whatever directory or file to the server and then applied the permissions.
@ cookie_monster - Is the folder created each time the machine is booted, also are you getting any warnings in the event log about policy refresh not being able to happen in the background. Is there anything in the way that the folder is created that would reset the permissions?
@ jsnetman: You can copy the file structure to the server but you can also create the settings on a workstation using the Security Configuration MMC and import them into Active Directory.
@ SYNACK: No the software is installed by the same GPO and the folder remains after that. No errors at all in the even log.
Also after i force the refresh and the policy does it's thing the NTFS permissions remain.
I'm getting that friday feeling i think i'll continue this investigation on monday. Cheers all :-)
Last edited by cookie_monster; 25th April 2008 at 03:42 PM.
I know this is bringing up a long dead thread... but OMG THAT IS ONE USEFUL TIP!! Just helped me alot!!Originally Posted by SYNACK
Thaaaaaaanks!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote