In addition to using batch files or a scripting language, Group Policy
Objects assigned to an OU can accomplish this very easily. They also
have the ability to skip certain directories. Like Mike mentioned you
should be aware of the various user accounts and services. We have
separate GPOs for different OUs to accommodate for things like IIS,
NTFRS, etc. Cheers.

Richard Hesse
Systems Administrator
MSN Messenger

-----Original Message-----
From: Mike Coppins [mailto:mikelegolas.com]
Sent: Wednesday, April 03, 2002 4:57 AM
To: focus-mssecurityfocus.com
Subject: re: A different NTFS ACL question

(Only joined this list today, so I'm reading your post off the website,
so
I'm not able to easily quote - sorry)

I've found it generally easier to just rewrite C drive ACLs from scratch

rather than doing lots of little edits. This may seem like a major
project
to embark on, but it depends on what level of security you're trying to
achieve (you also learn a shedload of out-of-the-way bizarre permissions

info, especially on Win2k! :-)). The only issue I see (if you want to
keep

[deletia]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]