Deploying NTFS permissions settings with group policy?

Discussion in 'Operating Systems' started by loss4words, Nov 27, 2011.

  1. loss4words

    loss4words [H]Lite

    Messages:
    107
    Joined:
    Aug 31, 2007
    Hi everybody,

    I wanted to lock down the desktops of computers on domain with deny write NTFS permsisions so that users can't save their documents on the desktop, but there are too many computers for me to go and do it manually to each one. Is there anyway I can push the NTFS deny settings that I need with group policy?
     
  2. techtips

    techtips Gawd

    Messages:
    530
    Joined:
    Jan 3, 2011
    I've played around with this a bit before, I think you can greate a group policy, and add the computer objects to that policy. It won't matter where the computer are located in AD as long as they are added to the GPO.

    I believe this is how you would go about doing it, but I haven't done it for a while so I am sure sombody else will pop in to correct this.
     
  3. mmtom

    mmtom Limp Gawd

    Messages:
    319
    Joined:
    Jan 9, 2003
    I'd be careful deploying NTFS permissions via GPO. If I recall, GPOs with NTFS settings will reapply the setting every time the GPO refreshes, or the user logs on, regardless of whether the permission has changed. Also, since users own their profile, I believe they could simply take ownership of the files and change NTFS permissions.

    Can I ask why you're trying to prevent them from saving to the desktop? You could always use profile redirection to redirect to a network share.
     
  4. bigdogchris

    bigdogchris [H]ard as it Gets

    Messages:
    17,785
    Joined:
    Feb 19, 2008
    There is the 'apply once' option for some items.
     
  5. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,159
    Joined:
    Aug 3, 2004
    could be for organization and so you dont have to do folder redirects of every directory on a ocmputer, forces people to save things to the folders they should be saved to, but then what is to stop someone from saving files to C:\ or another directory...
     
  6. Demon10000

    Demon10000 [H]ardness Supreme

    Messages:
    4,502
    Joined:
    Aug 20, 2006
    Iirc, the setting you are looking for is under the security settings on the computer policy. Seems like it could cause problems down the road, so I would test this pretty good before rolling it out.

    If you are trying to prevent lost data, you may want to look at folder redirection instead. I redirect this folder in my terminal server farm and it works well.