Deploying NTFS permissions settings with group policy?

[loss4words]

Hi everybody,

I wanted to lock down the desktops of computers on domain with deny write NTFS permsisions so that users can't save their documents on the desktop, but there are too many computers for me to go and do it manually to each one. Is there anyway I can push the NTFS deny settings that I need with group policy?

 

[techtips]

I've played around with this a bit before, I think you can greate a group policy, and add the computer objects to that policy. It won't matter where the computer are located in AD as long as they are added to the GPO.

I believe this is how you would go about doing it, but I haven't done it for a while so I am sure sombody else will pop in to correct this.

 

[mmtom]

I'd be careful deploying NTFS permissions via GPO. If I recall, GPOs with NTFS settings will reapply the setting every time the GPO refreshes, or the user logs on, regardless of whether the permission has changed. Also, since users own their profile, I believe they could simply take ownership of the files and change NTFS permissions.

Can I ask why you're trying to prevent them from saving to the desktop? You could always use profile redirection to redirect to a network share.

 

[bigdogchris]

There is the 'apply once' option for some items.

 

[MrGuvernment]

could be for organization and so you dont have to do folder redirects of every directory on a ocmputer, forces people to save things to the folders they should be saved to, but then what is to stop someone from saving files to C:\ or another directory...

 

[Demon10000]

Iirc, the setting you are looking for is under the security settings on the computer policy. Seems like it could cause problems down the road, so I would test this pretty good before rolling it out.

If you are trying to prevent lost data, you may want to look at folder redirection instead. I redirect this folder in my terminal server farm and it works well.