Assigning permissions for each file and folder individually can be complex and time consuming. To avoid going through the annoyances of changing permissions for a bunch of folders individually, we can use Group Policy to do it. In this article, you will see the process of assigning file and folder permissions across a domain through GPO. These instructions can be extremely helpful, and save your time if you have to assign permissions to a large number of systems with a common setup. Later in the article, you will also see the way to audit permission changes and to audit other changes in File Server through LepideAuditor.
1. Go to “Start Menu” ➔ “Administrative Tools”, and click “Group Policy Management” to access its console.
2. In left panel of “Group Policy Management Console”, you have to create a new Group Policy Object or edit an existing Group Policy Object.
3. To create a new GPO, right click “Group Policy Objects”, and select “New” from the context menu. It shows “New GPO” window.
4. Enter a name for the Group Policy Object (GPO) (in this case it is Assigning Folder Permissions), leave “Source Starter GPO” as “(none)”.
5. Right-click on the newly created "User Folder Permissions" GPO, and select “Edit GPO”. Group Policy Management Editor window appears on the screen.
6. Navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “File System”.
7. Right-click on “File System” in the left pane and select “Add File...” It shows the following dialog box.
8. Browse the folder or file that you wish to assign permissions on, and left click to select it. Click “OK”.
9. “Database Security” window appears on the screen.
10. Click “Advanced” button to access “Advanced Security Settings” window. Stay on the “Permissions” tab that appears by default.
11. On this tab, either select an existing user and click “Edit...” or click “Add...” to add a new user to the permissions.
12. “Permissions Entry for…” dialog box opens up. Here, you will see that there is a list of permissions available for your users, and you can also choose where you want to apply those permissions.
13. Use the drop-down menu in the “Apply to” field to assign selected permissions to desired folders.
14. Check the permissions as needed. These are self-explanatory.
15. Click “OK” to apply the permissions. It takes you back to “Advanced Security” window.
16. Now, move to the “Auditing” tab. Under this tab, you can do audit settings for the folder, so that any change done to this folder or its permission will be audited. Configure the auditing settings as per requirement.
17. Similarly, you can do ownership settings for the folder under “Owner” tab.
18. Once you have done “Permission”, “Auditing” and “Ownership” settings, click “OK” to close “Advanced Security…” window.
19. Click “OK” to close “Database Security…” window. Next, you will see “Add Object” window.
20. There are three options on the “Add Object” window:
a) Configure this file or folder then: Select this option to apply the settings. It contains the following two options.
- i. Propagate inheritable permissions to all subfolders and files: Selecting this option means, all the subfolders and files will inherit permissions from the parent folder. In case of a mismatch or conflict, explicit permissions that were assigned to the subfolders or files will override the inherited permissions.
- ii. Replace existing permissions on all subfolders and files with inheritable permissions: This option will overwrite all the settings on all subfolders and files with the ones on the parent, so ultimately they will have identical permissions to the parent folder.
- b) Do not allow permissions on this file or folder to be replaced: Use this setting for subfolders and files that you do not want to inherit permissions. For this, make an additional entry for those subfolders and files that will not inherit permissions e.g. let’s say you want the “A” folder to inherit permission but don’t want “B” folder to inherit permissions, in that case create an entry for the “B” folder.
NOTE: In this case, option “a” has been selected. Click “OK” to close the “Add Object” window.
21. Close “Group Policy Management Editor” window.
22. Right-click the domain you want to apply this GPO to, and then select “Link an Existing GPO...” option from the context menu. “Select GPO” window opens up.
23. Select the new “Assigning Folder Permissions” GPO, then click OK.
24. In the right pane, stay on the “Linked Group Policy Objects” tab that appears by default.
25. Right-click on the “Assigning Folder Permissions”, and select “Enforced” from the context menu. A confirmation message appears on the screen.
26. Click “OK” to close the dialog box.
In the following screen, you can see the report on all modifications made in file server that shows all changes made to files and folders including their permissions. All the relevant information about auditing like who changed what, when and where is shown in a single record. Details pane gives further information about the record.
In this article, you have seen the way to assign files and folders permissions through GPO. You have also seen the auditing of changes made to files and folders using LepideAuditor. The solution has pre-defined file and folders modification and permission modification reports that make enterprises safe and compliance-ready.
- How to keep track of changes made to your files and folders
- How to assign permissions to files and folders through Group Policy
- How to track permission changes on File Servers
- How to track permissions applied on files and folders in Windows File Server
- How to Track Changes Made to Files in a Shared Folder
- Enable file and folder access auditing on Windows Server 2012