none
Internal Order of GPO Settings

    Question

  • I have a GPO that creates a folder. Then it puts permissions onto that folder. 

    What I'm finding is that when I apply this GPO to a server it will create the folder but not apply the permissions. Then when I immediately reboot it will apply the permissions.

    This leads me to believe that the internal order of the GPO is trying to stamp the permissions on the folder before it's created (then the reboot works).

    Is there a way to prioritize the folder creation in that GPO? Or another way to fix this so I don't have to reboot to fix it.

    Thanks

    Wednesday, March 01, 2017 12:36 AM

All replies

  • Hi,

    How did you configure the permission for the folder?

    If you mean the read-only and hidden permission, I have tested for this.

    I configured the action with Update and configured read-only permission for the folder. Then running gpupdate /force on client. I can see the folder is created with the read-only permission.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 01, 2017 6:22 AM
    Moderator
  • Hi Jay,

    I set permissions here: Computer Configuration > Policies > Windows Settings > Security Settings > File System.

    Not read only style attributes, but specific permissions for users accounts etc.

    Thanks,

    Wednesday, March 01, 2017 5:30 PM
  • Hi,

    How did you create folder by group policy?

    Just like create folder under Computer Configuration\Preferences\folder

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 03, 2017 3:01 AM
    Moderator
  • Hi Jay,

    Yes that's correct.

    Thanks,

    Friday, March 03, 2017 5:29 PM
  • > This leads me to believe that the internal order of the GPO is trying to stamp the permissions on the folder before it's created (then the reboot works).
     
    Correct. This is the Client Side Extension Processing order. The Folder extension is processed AFTER the security extension. And no, you cannot change this order without breaking things - it relies on the GUID sort order for the CSEs. The only exception is Registry (ADM Templates) which is always processed first. All others are processed alphabetically.
     
    Here you will find a list of all CSEs including their GUIDs in their processing order: http://evilgpo.blogspot.de/2012/11/guids-guids-guids-2.html
     
    If you need more information, you're welcome to ask :-)
     
    Tuesday, March 07, 2017 10:38 AM
  • Hi,

    If the above reply has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 14, 2017 8:43 AM
    Moderator
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 11:51 AM
    Moderator