none
Internal Order of GPO Settings

    Question

  • I have a GPO that creates a folder. Then it puts permissions onto that folder. 

    What I'm finding is that when I apply this GPO to a server it will create the folder but not apply the permissions. Then when I immediately reboot it will apply the permissions.

    This leads me to believe that the internal order of the GPO is trying to stamp the permissions on the folder before it's created (then the reboot works).

    Is there a way to prioritize the folder creation in that GPO? Or another way to fix this so I don't have to reboot to fix it.

    Thanks

    Wednesday, March 1, 2017 12:36 AM

All replies

  • Hi,

    How did you configure the permission for the folder?

    If you mean the read-only and hidden permission, I have tested for this.

    I configured the action with Update and configured read-only permission for the folder. Then running gpupdate /force on client. I can see the folder is created with the read-only permission.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 1, 2017 6:22 AM
    Moderator
  • Hi Jay,

    I set permissions here: Computer Configuration > Policies > Windows Settings > Security Settings > File System.

    Not read only style attributes, but specific permissions for users accounts etc.

    Thanks,

    Wednesday, March 1, 2017 5:30 PM
  • Hi,

    How did you create folder by group policy?

    Just like create folder under Computer Configuration\Preferences\folder

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 3, 2017 3:01 AM
    Moderator
  • Hi Jay,

    Yes that's correct.

    Thanks,

    Friday, March 3, 2017 5:29 PM
  • > This leads me to believe that the internal order of the GPO is trying to stamp the permissions on the folder before it's created (then the reboot works).
     
    Correct. This is the Client Side Extension Processing order. The Folder extension is processed AFTER the security extension. And no, you cannot change this order without breaking things - it relies on the GUID sort order for the CSEs. The only exception is Registry (ADM Templates) which is always processed first. All others are processed alphabetically.
     
    Here you will find a list of all CSEs including their GUIDs in their processing order: http://evilgpo.blogspot.de/2012/11/guids-guids-guids-2.html
     
    If you need more information, you're welcome to ask :-)
     
    Tuesday, March 7, 2017 10:38 AM
  • Hi,

    If the above reply has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 14, 2017 8:43 AM
    Moderator
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 11:51 AM
    Moderator