Home / server / Questions / 963334
Accepted
Appleoddity
Asked: 2019-04-17 07:47:26 +0800 CST

Using a user scoped GPO to create a folder and set permissions

  • 772

Using user scoped group policy preferences, we are creating a home folder for new users on the server. This home folder inherits "CREATOR OWNER" permissions from the root home share. Now, we want to create a second folder under the Home folder called Scans. But, we want to change the permissions of that folder so that the user has full control over the subfolders and files - we do not want to just inherit "CREATOR OWNER" permissions. The problem is that the scanner drops files in to that folder and it becomes the owner of the file causing the user to lose access to it.

I'm curious of what ideas are out there on how to do this?

I think I know what options I have, and none of them are optimal. First of all, I am not aware of a group policy preference item for users that can set file/folder permissions - they are all computer scoped, which does not work in this case. In addition, login script execution order comes before group policy preference folder items which would require at least 2 GPOs to work around and I hate login scripts in this day and age.

So, the goal would be to NOT use login scripts, to use a single GPO item, and to have it fully configured during the first logon (without having to logon twice, or wait for gp refresh, etc.)

For the time being the only solution I can come up with would use a single GPO with a login script to set permissions at the user level. So, ultimately, it's looking like the best way is to just create a login script that creates the home folder, creates the scans folder, then sets the permissions. But, that is SO ugly and it is also a pain because our GPOs are using item level targeting for several different reasons and login scripts don't support item-level targeting.

permissions

1 Answers

  1. Best Answer

    So, the goal would be to NOT use login scripts, to use a single GPO item, and to have it fully configured during the first logon (without having to logon twice, or wait for gp refresh, etc.)

    After much personal turmoil, and no answer to this question, I came up with what I believe is the best possible solution apart from going full on login script.

    I was able to expand the existing GPO I have which currently creates both the user's home folder and the Scans folder under the user's home folder. I then added a login script to this GPO, and configured it like so:

    Name: %WINDIR%\System32\cmd.exe
Paramaters: /c icacls.exe H:\Scans /grant %USERDOMAIN%\%USERNAME%:(OI)(CI)(IO)(F)

    There are a couple things that happen that make this possible:

    • Windows 8.1 and newer delay login scripts by 5 minutes (the newest versions of Windows 10 appear to force this regardless of GPO) - therefore it meets the requirement that this happens on the first login.
    • Another GPO connects the user's home folder to H: first. Our users have different home servers and therefore I am not able to use a general UNC path. All users have an H: drive though. Using GPO priority, this GPO runs after the GPO that creates the folders and runs the login script.

    Unfortunately, it does use a "login" script, but it is calling the command directly rather than having to create a script file and run it from a shared location. And, it is dependent on a second GPO (which we already had). This could be combined in to a single GPO, but then it would require two logins to complete because group policy drive maps apply before group policy folders if they are combined in the same GPO.

    Once this is completed, this is what happens when a user logs in for the first time:

    1. GPO #1 runs and creates the user's home folder and scans folder.
    2. GPO #2 runs and maps the user's home folder to H:\
    3. 5 Minutes later the login script in GPO #1 executes and updates the permissions for the user's scan folder.
    • 1