none
Problem with setting NTFS permissions via GPO

    Question

  • Hello,
    I'm trying to modify the NTFS permissions on a system folder using a GPO.
    Server OS is Windows 2012 R2.
    I want to remove the permissions for the local users group on C:\Windows\system32\config and my GPO looks like that:


    A gpresult shows that the GPO is applied but the permissions on the config folder are still unchanged means the local users group still has Read and Execute on the folder.
    Any hint is welcome - thanks in advance.

    Jo Mueller


    Jogeli




    • Edited by jogeli Monday, December 5, 2016 6:51 PM
    Monday, December 5, 2016 6:47 PM

Answers

  • > I want to remove the permissions for the local users group on C:\Windows\system32\config and my GPO looks like that:
     
    By default local users have no permissions on that folder... Seems someone in the past modified permissions :)
      NT SERVICE\TrustedInstaller:(CI)(F)
      NT AUTHORITY\SYSTEM:(OI)(CI)(F)
      BUILTIN\Administrators:(OI)(CI)(F)
      CREATOR OWNER:(OI)(CI)(IO)(F)
     
    > A gpresult shows that the GPO is applied but the permissions on the config folder are still unchanged
     
    Does SYSTEM have FULL access? If not, you cannot change ACLs via GPO anymore, but must grant SYSTEM full access manually.
     
    • Marked as answer by jogeli Friday, December 9, 2016 4:16 PM
    Tuesday, December 6, 2016 1:35 PM

All replies

  • Hi,
    And as far as I know, the GPO might not be working to set local user group permission on folder. Please have a try to set the deny permission on the folder for local user group in the GPO to see if the permission is changed after the GPO is applied.
    Best regards,
    Wendy
     

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 6, 2016 7:41 AM
    Moderator
  • Hi Wendy,
    your proposed solution doesn't work means even a deny seems to be not set on the folder.
    What did lead you to the statement "GPO might not be working..." - is it a general restriction on 2012 R2 ?
    Beside the requirement to remove the users group from the ACL for that folder I have to limit the permissions for that group on some other system folders to Read and Execute only. This also doesn't  work.
    Kind regards
    Jo

    Jogeli


    • Edited by jogeli Tuesday, December 6, 2016 1:20 PM
    Tuesday, December 6, 2016 9:18 AM
  • > I want to remove the permissions for the local users group on C:\Windows\system32\config and my GPO looks like that:
     
    By default local users have no permissions on that folder... Seems someone in the past modified permissions :)
      NT SERVICE\TrustedInstaller:(CI)(F)
      NT AUTHORITY\SYSTEM:(OI)(CI)(F)
      BUILTIN\Administrators:(OI)(CI)(F)
      CREATOR OWNER:(OI)(CI)(IO)(F)
     
    > A gpresult shows that the GPO is applied but the permissions on the config folder are still unchanged
     
    Does SYSTEM have FULL access? If not, you cannot change ACLs via GPO anymore, but must grant SYSTEM full access manually.
     
    • Marked as answer by jogeli Friday, December 9, 2016 4:16 PM
    Tuesday, December 6, 2016 1:35 PM