Partilhar via


Apply or modify permission entries for objects using Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To apply or modify permission entries for objects using Group Policy

  1. Open Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Click Group Policy Object Editor, and then click Add.

  4. In the Group Policy Wizard, on the Select Group Policy Object page, click Browse.

  5. In Browse for a Group Policy object, do one of the following:

    • To use an existing non-local Group Policy object (GPO), select a Group Policy object in the appropriate domain, site, or organizational unit, click OK, and then click Finish.

    • To create a new non-local Group Policy object, in the Domain, OUs and linked Group Policy Objects box, right-click in an empty area, click New, type the name of the new Group Policy object, click OK, and then click Finish.

    Note

    • If the Browse for a Group Policy object dialog box has only one tab, and it has the label Computers, then you only have access to local Group Policy objects and you cannot complete this procedure. This probably means the computer is not joined to an Active Directory domain.
  6. Click Close, and then click OK.

  7. Do one or more of the following:

    To modify permission entries on Do this

    System services

    • In the console tree, click System Services.

      Where?

      • Computer Configuration/Windows Settings/Security Settings/System Services

    • In the details pane, right-click the service you want to change, click Properties, select the Define this policy setting check box, and then click Edit Security.

    Registry keys

    • In the console tree, right-click Registry.

      Where?

      • Computer Configuration/Windows Settings/Security Settings/Registry

    • Click Add Key, in Select Registry Key, click the key that you want to change, and then click OK.

    Files or folders

    • In the console tree, right-click File System.

      Where?

      • Computer Configuration/Windows Settings/Security Settings/File System

    • Click Add File, in Add a file or folder, click the file or folder that you want to change, and then click OK.

  8. Do one of the following:

    • To set permissions for a group or user that does not appear in the Group or user names box, click Add. Type the name of the group or user you want to set permissions for, and then click OK.

    • To change or remove permissions from an existing group or user, click the name of the group or user.

  9. Do one of the following:

    • To allow a permission, in the Permissions for User or Group box, select the Allow check box.

    • To deny a permission, in the Permissions for User or Group box, select the Deny check box.

    • To remove the group or user from Group or user names, click Remove.

Notes

  • You must be logged on as a computer administrator to complete this procedure.

  • To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.

  • The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.

  • To complete this procedure, the computer must be joined to an Active Directory domain, and you must have permission to edit the Group Policy object.

  • These settings are refreshed on an ongoing basis, so configuring many access control lists through Group Policy may increase the load on the network.

  • In the Windows Server 2003 family, the Everyone group no longer includes Anonymous Logon.

  • You can set file and folder permissions only on drives that are formatted to use NTFS.

  • To change permissions, you must be the owner or have been granted permission to do so by the owner.

  • For more information about permissions on other objects, see Permissions.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

View effective permissions on files and folders
Set, view, change, or remove special permissions
File and folder permissions
How inheritance affects file and folder permissions
Access control overview