none
Issue with GPO for file security permissions

    Question

  • Hi All!

    I need help with the following situation. I'm trying to set security settings for computers with windows 7 x64 - the targeted folder is in C:\Program Files (x86)\Example. When I do it with a GPO (Computer Configuration > Policies > Windows Settings > Security Settings > File System > Add Files) and I pick up the location from my workstation, the object name gets translated by the group policy to %ProgramFiles%\Exmaple and not to %ProgramFiles(x86)%\Example. I suspect this is because the domain controller is 32 bit server 2003. I did a test by picking up folder from C:\Program Files\Test, again the location gets translated to %programfiles%\test - but the security settings do apply!.

    What I tried as workaround is to add a system variable on the domain controller, %programfiles(x86)%=c:\program files (x86), but the group policy doesn't translate it as I wish. Also, I came along to this - https://technet.microsoft.com/en-us/library/cc753580.aspx - and tried setting location, which will be translated by the hosts themselves, not by the group policy - %<programfiles(x86)>%\exmaple, but the GPO didn't apply.

    Any Ideas?

    Thanks,

    DH

    Friday, March 13, 2015 3:06 PM

Answers

  • I never had to deal with this, because we decided not to set file security through GPO. At least not for default folders :)

    You could edit the gpttmpl.inf file in your GPO to change the path afterwards - I'm OOO right now so cannot really verify anything... But AFAIK the file security part has a "split brain" and observes both program files paths on 64 bit OSes.

    Does your GPO apply to the target computers at all? ("gpresult /h report.html" from an elevated prompt)


    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:

    • Marked as answer by dhristov Monday, March 16, 2015 7:08 AM
    Friday, March 13, 2015 5:36 PM

All replies

  • I never had to deal with this, because we decided not to set file security through GPO. At least not for default folders :)

    You could edit the gpttmpl.inf file in your GPO to change the path afterwards - I'm OOO right now so cannot really verify anything... But AFAIK the file security part has a "split brain" and observes both program files paths on 64 bit OSes.

    Does your GPO apply to the target computers at all? ("gpresult /h report.html" from an elevated prompt)


    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:

    • Marked as answer by dhristov Monday, March 16, 2015 7:08 AM
    Friday, March 13, 2015 5:36 PM
  • Hi Martin,

    this sorted it out for me - I replaced the variable with the absolute path (C:\Program Files (x86)\Exmaple) and the GPO applied.

    Before I changed this, the GPO failed to apply with "Blocked SOM" error. But when I tested on a folder located in C:\Program Files\ it worked, so .. this is the issue and what you suggested as workaround works.

    Thanks,

    DH.

    Monday, March 16, 2015 7:22 AM