Re: File System Security Setting Causes Slow Logon

From: BlenderStyle (BlenderStyle_at_discussions.microsoft.com)
Date: 11/18/05 

Date: Thu, 17 Nov 2005 16:15:02 -0800

That's exactly what I did and it worked! I created an OU called WinXP and a
sub-OU called WinXP_FS where I applied the File System Security Policy. I
just move a machine to the WinXP_FS OU, reboot it, wait for the NTFS
permissions to change and for winlogon.log to report it's finished and then I
move the machine up a level to WinXP to stop recieving the File System
Security Policy. As far as I can tell this has been an excellent solution for
my problem. Thanks, Roger and Karl for your help.

By the way, in my File System Security Policy I also define registry
permissions. This solution works well for that too. One thing, this doesn't
work for the root of the file system (C:\) so keep that in mind if any of you
are doing this.

"Roger Abell [MVP]" wrote:

> You may find that a better approach would be such as use of a temp
> sub-OU with GPO that carries the file system permissioning.
> IMO the intent of filesystem ACLs in GPO is for only the very important
> storage areas for which you have need to guarantee the DACL/SACL
> will be just so, and if changed locally will again become just so.
> You are likely seeing the occassional slow login because the GPO that
> carries the filesystem ACLing is seen to have a new version number,
> and so it gets pulled from the DC and reapplied.
> Moving a machine to which filesystem ACLing has been applied in this
> way out from under the scope of the applying GPO will not result in
> the ACLing reverting. It gets imprinted into the filesystem, unlike GPO
> based Security Settings for which the "Policy" reg keys are defined to
> allow avoidance of the imprinting effect. Hence, the opening suggesting
> of a temp sub-OU used just to set the ACLing, so that in its normal
> state (OU location) the occassional slowdown is not seen, again,
> assuming your objective is not to enforce guarantee of just so.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "BlenderStyle" <BlenderStyle@discussions.microsoft.com> wrote in message
> news:5C619F11-B405-46F4-96A5-78A5489B872A@microsoft.com...
> > I'm using a group policy object that sets Computer Configuration\Windows
> > Settings\Security Settings\File System. I use this because there were some
> > problems with applications not working without write access to certain
> > folders (including the Windows folders). I wanted to set the permissions
> > on
> > several machines at once so I put them all in an Organizational Unit,
> > applied
> > my Group Policy, and rebooted the machines. They took a long time to login
> > (because it was setting the new NTFS permissions) but it worked. They
> > logged
> > in again and it was normal speed. Now for the problem.
> >
> > Every so often when someone logs on to one of these machines it will take
> > a
> > long time to logon. This doesn't happen all the time, just occasionally.
> > I'm
> > assuming the cached settings on the machine need to be updated from the
> > domain so it reapplies the settings, thus reapplying the new NTFS
> > permissions.
> >
> > Is there another Group Policy setting that will override this? If I move
> > these machines to a different OU without File System Security Settings
> > will
> > it keep the settings applied by my GPO even though it's no longer being
> > applied? Is there a better way to set a bunch of NTFS permissions on
> > remote
> > machines?
>
>
>

Relevant Pages

  • Re: Publishing Software...
    ... I may have to recant my thoughts about it being a permissions issue, ... domain workstation security policy and then lock it down and reapply that. ... >> Are the users on the machines in question, members of the local Administrators group?? ... >> User Rights configuration was completed with one or more errors. ...
    (microsoft.public.windows.server.sbs)
  • Re: Got NFS woes
    ... times both machines are not on. ... in the context of autofs. ... talking about automatically mounting the file systems by default at ... user tries to access the file system on the disk eg with ls or cp. ...
    (alt.os.linux.suse)
  • Re: Feature Request : scp front end
    ... especially when we have to do a fresh install on one or more machines ... ... Besides the GUI solutions you already have, from the command line, ... commands on the remote file system. ...
    (Fedora)
  • Re: How might a Volume label be displayed when burning a cd-rom image ?
    ... > familiar with the subtleties of the process I've not be ... > make the unix file system image is detailed on the ... machines to generate the images for this is mkisofs, ...
    (comp.unix.shell)
  • Re: Deny Network access via a Policy - Help!!!
    ... you are providing external customers with terminal services login ... to your internal corporate forest ... your internal machines are at default with Domain Users in the ... > access to the domain in the security policy but I cant xseem to find it. ...
    (microsoft.public.windows.server.security)