Discussion:
File Permissions won't apply via GPO
(too old to reply)
Tim
2007-09-17 17:20:03 UTC
Permalink
I'm deploying an application via policy and it deploys just fine. I am also
setting file and registry permissions to files on that same application with
the same policy. However, I can't get the permissions to apply. I've run
gpupdate, rebooted, waited, etc. I can't seem to figure out a way to get
these permissions to apply.

Example path:
%SystemRoot%\system32\config\systemprofile\Local Settings\Application
Data\Imaginova Canada\
Permission setting: Domain Users Read/Execute.

I can understand the permission not applying on the first go round, but
after gpupdate and a reboot, they should be applied to them since the files
will then be available. It seems like if work it enough, something will
cause the permissions to apply because they will all of a sudden appear. I
don't know what I've done to cause them to be applied. Maybe it requires a
full moon or something.

Any ideas would be appreciated.

Tim
Anthony
2007-09-17 22:46:19 UTC
Permalink
Tim,
File and registry security settings don't apply reliably on files and keys
that don't exist at the time the policy is applied.
If they don't exist, the policy exits with success, and does not try again.
If you cause the policy to not apply, and then to apply again after the file
or key is created, it will work.
Anthony,
http://www.airdesk.co.uk
Post by Tim
I'm deploying an application via policy and it deploys just fine. I am also
setting file and registry permissions to files on that same application with
the same policy. However, I can't get the permissions to apply. I've run
gpupdate, rebooted, waited, etc. I can't seem to figure out a way to get
these permissions to apply.
%SystemRoot%\system32\config\systemprofile\Local Settings\Application
Data\Imaginova Canada\
Permission setting: Domain Users Read/Execute.
I can understand the permission not applying on the first go round, but
after gpupdate and a reboot, they should be applied to them since the files
will then be available. It seems like if work it enough, something will
cause the permissions to apply because they will all of a sudden appear.
I
don't know what I've done to cause them to be applied. Maybe it requires a
full moon or something.
Any ideas would be appreciated.
Tim
Tim
2007-09-18 11:48:01 UTC
Permalink
What do you mean by "cause the policy not to apply"? Do mean to unlink it
for a time and then link it again? Would it be better to create a seperate
policy for the securty settings? If that be the case, can you really control
the order in which policy is applied?

Thanks,
Tim
Post by Anthony
Tim,
File and registry security settings don't apply reliably on files and keys
that don't exist at the time the policy is applied.
If they don't exist, the policy exits with success, and does not try again.
If you cause the policy to not apply, and then to apply again after the file
or key is created, it will work.
Anthony,
http://www.airdesk.co.uk
Post by Tim
I'm deploying an application via policy and it deploys just fine. I am also
setting file and registry permissions to files on that same application with
the same policy. However, I can't get the permissions to apply. I've run
gpupdate, rebooted, waited, etc. I can't seem to figure out a way to get
these permissions to apply.
%SystemRoot%\system32\config\systemprofile\Local Settings\Application
Data\Imaginova Canada\
Permission setting: Domain Users Read/Execute.
I can understand the permission not applying on the first go round, but
after gpupdate and a reboot, they should be applied to them since the files
will then be available. It seems like if work it enough, something will
cause the permissions to apply because they will all of a sudden appear.
I
don't know what I've done to cause them to be applied. Maybe it requires a
full moon or something.
Any ideas would be appreciated.
Tim
Tim
2007-09-18 12:46:02 UTC
Permalink
Just an fyi- the permissions applied overnight for whatever reason.
Yesterday multiple reboots and gpupdates would not resolve but waiting did.
Patience grasshopper, patience...
Post by Tim
What do you mean by "cause the policy not to apply"? Do mean to unlink it
for a time and then link it again? Would it be better to create a seperate
policy for the securty settings? If that be the case, can you really control
the order in which policy is applied?
Thanks,
Tim
Post by Anthony
Tim,
File and registry security settings don't apply reliably on files and keys
that don't exist at the time the policy is applied.
If they don't exist, the policy exits with success, and does not try again.
If you cause the policy to not apply, and then to apply again after the file
or key is created, it will work.
Anthony,
http://www.airdesk.co.uk
Post by Tim
I'm deploying an application via policy and it deploys just fine. I am also
setting file and registry permissions to files on that same application with
the same policy. However, I can't get the permissions to apply. I've run
gpupdate, rebooted, waited, etc. I can't seem to figure out a way to get
these permissions to apply.
%SystemRoot%\system32\config\systemprofile\Local Settings\Application
Data\Imaginova Canada\
Permission setting: Domain Users Read/Execute.
I can understand the permission not applying on the first go round, but
after gpupdate and a reboot, they should be applied to them since the files
will then be available. It seems like if work it enough, something will
cause the permissions to apply because they will all of a sudden appear.
I
don't know what I've done to cause them to be applied. Maybe it requires a
full moon or something.
Any ideas would be appreciated.
Tim
Anthony
2007-09-18 14:01:33 UTC
Permalink
Hi Tim,
The problem is that you really want the settings to apply only after the
software has been installed. You can't apply that sort of conditional logic
in a policy. What will you do, for example, when you install the software on
another computer? In a small setup you can get away with manually unlinking
and linking the settings policy, or disable and re-enable. Otherwise you
might be better off with a script.
Anthony,
http://www.airdesk.co.uk
Post by Tim
What do you mean by "cause the policy not to apply"? Do mean to unlink it
for a time and then link it again? Would it be better to create a seperate
policy for the securty settings? If that be the case, can you really control
the order in which policy is applied?
Thanks,
Tim
Post by Anthony
Tim,
File and registry security settings don't apply reliably on files and keys
that don't exist at the time the policy is applied.
If they don't exist, the policy exits with success, and does not try again.
If you cause the policy to not apply, and then to apply again after the file
or key is created, it will work.
Anthony,
http://www.airdesk.co.uk
Post by Tim
I'm deploying an application via policy and it deploys just fine. I am also
setting file and registry permissions to files on that same application with
the same policy. However, I can't get the permissions to apply. I've run
gpupdate, rebooted, waited, etc. I can't seem to figure out a way to get
these permissions to apply.
%SystemRoot%\system32\config\systemprofile\Local Settings\Application
Data\Imaginova Canada\
Permission setting: Domain Users Read/Execute.
I can understand the permission not applying on the first go round, but
after gpupdate and a reboot, they should be applied to them since the files
will then be available. It seems like if work it enough, something will
cause the permissions to apply because they will all of a sudden appear.
I
don't know what I've done to cause them to be applied. Maybe it
requires
a
full moon or something.
Any ideas would be appreciated.
Tim
Loading...