You can use group policies to set access rights to directories or files for multiple computers. They not only save you the interactive configuration but also ensure that permissions do not deviate from the default in the future.

For most directories installed by the operating system, there is usually no need to change the permissions. Exceptions are vulnerabilities such as CVE-2021-36934 ("HiveNightmare"), where critical components such as the SAM database are not sufficiently protected due to misconfiguration of access rights.

Other use cases ^

In this case, as a workaround, you could change the permissions to a secure state using a GPO on all affected PCs. Another use case could be when you create a folder via group policy preferences and want to configure its access rights immediately.

Another example would be that an application runs under a service account, and the account needs access to certain data directories.

Since the client-side extensions reapply the settings of a GPO on every refresh, this ensures that the desired permissions are always maintained, e.g., on file shares with a deep folder structure. Manual changes would be corrected automatically.

Creating a GPO ^

After you have created a GPO and linked it to the desired OU or domain, open it in the GPO editor. There, you switch to Computer configuration > Policies > Windows Settings > Security Settings > File System. From the context menu of File System select Add File.

Add the file or directory to the GPO for which you want to set the permissions

Add the file or directory to the GPO for which you want to set the permissions

This opens a dialog box that can be used to navigate the file system of the admin workstation. This is convenient if the target computers have the same folders. Otherwise, you can enter any path in the Folder input field.

Select the directory or file for which the access rights are to be configured

Select the directory or file for which the access rights are to be configured

After selecting a directory or a file, the Security dialog box (as you know it from the properties of a file system object in Explorer) appears. Here, enter the required principals and assign them the desired permissions. Removing accounts or groups has the same effect on the target systems.

Configuring permissions for the selected directory

Configuring permissions for the selected directory

Controlling inheritance ^

If you open the advanced security settings by clicking Advanced, you can configure inheritance there. After confirming the new permissions, you also have the option to replace existing permissions in all subfolders with inheritable permissions or, if permissions were assigned there directly, to leave them as they are.

Specify how and whether the changed permissions are passed to the subfolders and files

Specify how and whether the changed permissions are passed to the subfolders and files

Another option, called Do not allow permissions on this file or folder to be replaced, disables the transfer of permissions to subdirectories. In this case, you will probably configure a separate GPO setting for the permissions of the subdirectory tree.

Subscribe to 4sysops newsletter!

After rebooting the target computers or running gpupdate /force, the affected files or directories should receive the new permissions.

+5
avataravatar
1 Comment
  1. Mark Burns 2 months ago

    How would and end user be able to recognize whether or not a given state of folder/file permissions were set "manually" (at the "retail level"?) by an admin -vs- those same settings having been applied by (a presumably more-enterprise-level) GPO?

    The root of this question lies in the business-level "how do we know who to call to get this adjusted/changed?" question that often pops up between departmental-level and local-support or enterprise-level-support administrative mechanisms and policies. (you can infer that "enterprise-level" change requests have a higher level of cost in terms of time and effort to get approved and acted upon than would more "locally-administered" mechanisms.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account