I am trying to create a folder, share it, and then add a security group to write-only to it. Specifically, create the folder: ScanFiles in the users Documents folder.
Forest Functional Level is 2008 R2. Client OS is Windows 7 Pro (no SP1).
The computers are in one OU. Users are in another. I have loopback turned on. All of these settings are configured in the GPO linked to the OU that the computers are in.
The three settings I am trying to use are:
Create Folder:
User Configuration\Preferences\Windows Settings\Folders
Action:Update Path: %UserProfile%\Documents\ScanFiles
Share Folder:
Computer Configuration\Preferences\Windows Settings\Network Shares
Action: Update Share name:ScanFiles$ Folder Path: %UserProfile%\Documents\ScanFiles
Permissions Modification:
Computer Configuration\Policies\Windows Settings\Security Settings\File System
Path:%UserProfile%\Documents\ScanFiles
Add Security Group:
Scanner-grp with write only permissions
With the above settings the folder is created, but it is not shared and the permission is not added.
I can get it work (add a share and the permission), if I change the two settings (share and permissions) under the Computer Configuration portion of the GPO to have explicit directories. However, this will not be practical in production because I need to folder created under each user’s profile. I just used it to test and troubleshoot.
Next, I tried to use the environmental variable %SystemDrive%. (i.e. %SystemDrive%\user\TestAcct\Documents\ScanFiles) and this also worked, creating the share and adding the permission. This proved to me that environmental variables work and the computer side of the GPO could modify a folder in a user profile.
Then, I thought that the user variable: %UserProfile% may not be working. So I tried using %UserName% instead of explicitly stating TestAcct. (i.e. %SystemDrive%\user\%UserName%\Documents\ScanFiles) That did not work.
Finally I tried usingPreference process variables. Those did not work any better. (i.e. %SystemDrive%\user\%LogonUser%\Documents\ScanFiles)
My current hypothesis is that the variables relating to the currently logged on user will not work in policies and preferences under Computer Configuration. This must be due to how Windows applies (security/account) the computer configuration compared to the user configuration.
Does anyone have any knowledge that could help me use variables to apply the share and permissions? or Can anyon confirm that the way the GP is applied will not support user variables in the computer section of the GPO? Also any links to Microsoft technet explaining what services, processes, and accounts are used to apply GPO’s would be very welcome.
Thanks in advance,