In every environment, there will always be that one application that requires privileged access. Sofware that uses a local database like SQLite is some of the biggest culprits. Account Software is the other. So how do we grant access to the folder with Group Policies?
Folder Creation
Before creating the GPO you need to make sure the Folder you will be given access to is present on the machine you are creating the GPO on. The Actual software does not need to be installed.
As per Below the folder named “Application” > “TheSubfolder” was created below “C:\Program Files (x86)”. This is how it will be displayed on the end-users machine. The Folder Permission is also there to be able to see the results Before and After the GPO Applies.
Grant Access to Specific Folder
Once the Folder is created, Open the Group Policy Management and Create a new Policy underneath Group Policy Objects. I suggest a descriptive name like CC – Application: Folder Permission
- CC: Computer Configuration
- Application: The Name of the Application
- Folder Permission: The Purpose of GPO
Edit the New GPO under the Computer Configuration browse to:
Policies > Windows Settings > Security Settings > File System.
Right Click on the Right and choose Add File…
Browse to the folder that the permissions are going to be set up on choose it and press Ok.
You will be prompted with the Security dialog at which stage you can select who requires what permission. I do not suggest specifying user Directly but Rather Groups. For something that is Company-wide using a group like “Domain Users” will give all users access to the Folder. If you need to make provision for Local Users as well as Domain Users try using the group “Authenticated users”.
Once you are done you will be presented with Add Object window which is basically how to handle the Inheritance on the folder.
Propagate inheritable permissions to all subfolders and files.
- Subfolders and Files will Inherit permission from the parent folder
- Explicit Permission on Subfolder and files does not overwrite
- Explicit Permission will Precede Inherited Permission
Replace existing permissions on all subfolders and files with inheritable permissions
- Subfolders and Files will Inherit permission form Parent folder
- All Subfolders and Files permission will be rewritten with Parent Permission (No Explicit Permission will remain)
Do not allow permissions on this file or folder to be replaced.
- This is used on Subfolders and Files for the previous two Settings
- The Specified Subfolder or File will not change any Permissions
Applied Permissions
It is advisable to make sure the Folder is on the system before applying the GPO. The issue I had was showing there was a problem with applying GPO as I created the Folder on the Test Machine afterward. To check if the GPO pulled through use gpresult /r in a command Prompt. To check if the GPO applied successfully run rsop.msc in admin Mode.
A simple gpupdate /force reapplied the GPO when the folder was recreated as you can see the results below.