Windows File Permissions

[stitch]

Hi all

I have a slight problem that I hope you can help me with. I have 140 users logging into a single Windows 2003 Active Directory Server. I have desktop folder redirection set to a share and a number of sub folders and this is applied through GPO and I control the display of the icons by using ABE and file permissions on the icons and has been running great for the last 10 Months. We have a number of PCs that are connected to Interactive Whiteboards and I would like to add a group of PCs to the shortcut ACL so that when any user logs in on a Whiteboard PC the application shortcut will be added. When I give the user rights to the shortcut, the icon appears on the users desktop, but when I give the computer object rights, and go to the client machine, it does not seem to have rights to the file.

Any ideas would be greatly appreciated.

[bjones]

Hmm... I might be able to help you if you can clear up a few things for me. I will probably feel stupid once you tell me.... What do you mean you are using ABE to control the display of the icons? Is ABE a type of security software? By the way I am a computer technician at an elementary school. We are using AD and have Activ Boards in every classroom.

[srochford]

ABE - access based enumeration - means that you only see icons/folders which you are allowed to read. Introduced with 2003 SP1 (I think) and gives you what Netware had years ago!

Can be useful because instead of people clicking on things and saying "why doesn't this work" they just don't see things they're not allowed to open.

To answer Stitch's question - that's the way it's supposed to work. Destkop icons are user icons, not computer icons so allowing the computer access just isn't going to work.

If you're redirecting everyone's desktop then you're stuck - you can't just add an icon based on computer name because all the icons are in one place.

What you need to do is to enable a different desktop for an OU worth of computers (and that OU will contain your whiteboard machines). This is harder than you want it to be because you are going to put the computers in an OU but you want the settings to apply to users - you do this using "loopback processing" - but (and it's a BIG BUT!) - this can cause other problems!

I would just have the icon on the desktop for everyone but point it to a script which checks the name of the PC and says "Sorry, no whiteboard here" or runs the software - the way we do it is here: http://techinfo.cnwl.ac.uk/Windows%2...%20program.htm

[stitch]

Thanks for the replies both of you, I will give this a go, srochford.