none
NTFS permissions set up in GPM overwrites currect permissions

    Question

  • Hi!

    I'm trying to implement a policy in our current environment where NTFS permissions are added to the local drives. I've implemented this by editing the settings in Computer Configuration - Windows Settings - Security Settings - File System. Unfortunately, when I set up the settings, all of the current settings are overwritten when the GPO is applied. I've selected "Propagate inheritable permissions to all subfolders...", but all current permissions are removed and replaced by the settings in the GPO.

    The screenshot below shows the current computer configuration settings within the GPO. http://i.stack.imgur.com/Ksze1.png

    Any idea on the correct implementation I need to use?



    • Edited by SWolfram Tuesday, September 22, 2015 10:35 AM Edited image link
    Friday, September 18, 2015 8:30 AM

Answers

  • Thanks for your help Martin!

    Unfortunately, I've tried to "Include inherited", but the current permissions were still being overwritten.
    I've implemented a workaround by using a powershell startup script that adds the permissions. That seemed to do the trick. For anyone that may need it, I've used the following script:

    $C = (Get-Item "C:\").GetAccessControl('Access')
    $D = (Get-Item "D:\").GetAccessControl('Access')
    $Exec = New-Object system.security.accesscontrol.filesystemaccessrule("MYDOMAIN\Dir_Local_Drives_R", "readandexecute", "Containerinherit,Objectinherit", "None", "Allow")
    $Deny = New-Object system.security.accesscontrol.filesystemaccessrule("MYDOMAIN\Dir_Local_Drives_R", "write", "Containerinherit,Objectinherit", "None", "Deny")

    $C.SetAccessRule($Exec)
    $C.SetAccessRule($Deny)
    Set-ACL "C:\" $C

    $D.SetAccessRule($Exec)
    $D.SetAccessRule($Deny)
    Set-ACL "D:\" $D

    Tuesday, September 22, 2015 10:34 AM

All replies

  • > subfolders...", but all current permissions are removed and replaced by
    > the settings in the GPO.
     
    You have to edit the setting after you created it, then go to advanced
    and check "include inherited".
     
     
    "Image not found"...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, September 18, 2015 10:06 AM
  • Thanks for your help Martin!

    Unfortunately, I've tried to "Include inherited", but the current permissions were still being overwritten.
    I've implemented a workaround by using a powershell startup script that adds the permissions. That seemed to do the trick. For anyone that may need it, I've used the following script:

    $C = (Get-Item "C:\").GetAccessControl('Access')
    $D = (Get-Item "D:\").GetAccessControl('Access')
    $Exec = New-Object system.security.accesscontrol.filesystemaccessrule("MYDOMAIN\Dir_Local_Drives_R", "readandexecute", "Containerinherit,Objectinherit", "None", "Allow")
    $Deny = New-Object system.security.accesscontrol.filesystemaccessrule("MYDOMAIN\Dir_Local_Drives_R", "write", "Containerinherit,Objectinherit", "None", "Deny")

    $C.SetAccessRule($Exec)
    $C.SetAccessRule($Deny)
    Set-ACL "C:\" $C

    $D.SetAccessRule($Exec)
    $D.SetAccessRule($Deny)
    Set-ACL "D:\" $D

    Tuesday, September 22, 2015 10:34 AM
  • > Unfortunately, I've tried to "Include inherited", but the current
    > permissions were still being overwritten.
     
    Yes, that's how it is intended to work. It is "either define it on NTFS
    level or put it all in a GPO", but no mix of both :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, September 22, 2015 11:17 AM