Folder Security sporadically working theta12 <theta12[ at ]gmail.com> 13.07.2007 20:39:53 I'm trying to lock down the desktop folder of all users on machines by OU. Because of the complexity of our organization, desktop folder redirection, mandatory profiles and roaming profiles are not an option so I went with a File Security GPO via Active Directory for simplicity. I'm trying to set the permissions for domain users and not local users. The GPO sets file rights on the following folders: %AllUsersProfile%\Desktop %SystemDrive%\Documents and Settings\Default User\Desktop %UserProfile%\Desktop When I look at my pc's, the All User's and Default User folders have the correct file permissions set on them. However, the UserProfile \Desktop sometimes works and sometimes doesn't. My understanding was that when a new profile is created, it should make a copy of default user profile and apply that. Even if that's not the case and the account already exists, when the PC boots up it should at least set file permissions on one of the user's desktop folders (I'm assuming the last cached value in the registry) but even that doesn't work. I can't seem to figure out a rhyme or reason why it does or does not apply the %userprofile% file security. I'll reboot a machine 10 times and it will never apply the security to any user profiles but I'll reboot the machine right next to that one and it will apply the security correctly. All PC's are XP SP2 on a Windows 2003 domain, are all part of the same OU, and patched to the same level. There is no firewall on the pc's either. All my other policies are applying correctly so I know it's not a rights issue, connectivity issue or network issue. There are no errors in any of the event logs. What am I missing?

Re: Folder Security sporadically working "Roger Abell [MVP]" <mvpNoSpam[ at ]asu.edu> 13.07.2007 22:42:40 Frankly I am surprised that you are seeing the %UserProfile%\Desktop part get applied correctly at all. GPO based filesystem permissions are a Computer level policy, applied by the system without access to the user's session and value of %UserProfile% Perhaps you should look into why it seems like it works sometimes ?!! You might want to approach this via a startup or shutdown script that looks at the existing dirs just under Documents and Settings and does a test/set of each one's Desktop folder. "theta12" <theta12[ at ]gmail.com> wrote in message news:1184359193.437958.11260[ at ]m3g2000hsh.googlegroups.com... [Quoted Text] > I'm trying to lock down the desktop folder of all users on machines by > OU. Because of the complexity of our organization, desktop folder > redirection, mandatory profiles and roaming profiles are not an option > so I went with a File Security GPO via Active Directory for > simplicity. I'm trying to set the permissions for domain users and > not local users. The GPO sets file rights on the following folders: > > %AllUsersProfile%\Desktop > %SystemDrive%\Documents and Settings\Default User\Desktop > %UserProfile%\Desktop > > When I look at my pc's, the All User's and Default User folders have > the correct file permissions set on them. However, the UserProfile > \Desktop sometimes works and sometimes doesn't. My understanding was > that when a new profile is created, it should make a copy of default > user profile and apply that. Even if that's not the case and the > account already exists, when the PC boots up it should at least set > file permissions on one of the user's desktop folders (I'm assuming > the last cached value in the registry) but even that doesn't work. I > can't seem to figure out a rhyme or reason why it does or does not > apply the %userprofile% file security. I'll reboot a machine 10 times > and it will never apply the security to any user profiles but I'll > reboot the machine right next to that one and it will apply the > security correctly. > > All PC's are XP SP2 on a Windows 2003 domain, are all part of the same > OU, and patched to the same level. There is no firewall on the pc's > either. All my other policies are applying correctly so I know it's > not a rights issue, connectivity issue or network issue. There are no > errors in any of the event logs. What am I missing? >