File System Security Setting Causes Slow Logon

File System Security Setting Causes Slow Logon
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
File System Security Setting Causes Slow Logon BlenderStyle 11-15-2005
Posted by =?Utf-8?B?QmxlbmRlclN0eWxl?= on November 15, 2005, 7:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm using a group policy object that sets Computer Configuration\Windows
Settings\Security Settings\File System. I use this because there were some
problems with applications not working without write access to certain
folders (including the Windows folders). I wanted to set the permissions on
several machines at once so I put them all in an Organizational Unit, applied
my Group Policy, and rebooted the machines. They took a long time to login
(because it was setting the new NTFS permissions) but it worked. They logged
in again and it was normal speed. Now for the problem.

Every so often when someone logs on to one of these machines it will take a
long time to logon. This doesn't happen all the time, just occasionally. I'm
assuming the cached settings on the machine need to be updated from the
domain so it reapplies the settings, thus reapplying the new NTFS permissions.

Is there another Group Policy setting that will override this? If I move
these machines to a different OU without File System Security Settings will
it keep the settings applied by my GPO even though it's no longer being
applied? Is there a better way to set a bunch of NTFS permissions on remote
machines?

Posted by Roger Abell [MVP] on November 16, 2005, 12:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
You may find that a better approach would be such as use of a temp
sub-OU with GPO that carries the file system permissioning.
IMO the intent of filesystem ACLs in GPO is for only the very important
storage areas for which you have need to guarantee the DACL/SACL
will be just so, and if changed locally will again become just so.
You are likely seeing the occassional slow login because the GPO that
carries the filesystem ACLing is seen to have a new version number,
and so it gets pulled from the DC and reapplied.
Moving a machine to which filesystem ACLing has been applied in this
way out from under the scope of the applying GPO will not result in
the ACLing reverting. It gets imprinted into the filesystem, unlike GPO
based Security Settings for which the "Policy" reg keys are defined to
allow avoidance of the imprinting effect. Hence, the opening suggesting
of a temp sub-OU used just to set the ACLing, so that in its normal
state (OU location) the occassional slowdown is not seen, again,
assuming your objective is not to enforce guarantee of just so.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> I'm using a group policy object that sets Computer Configuration\Windows
> Settings\Security Settings\File System. I use this because there were some
> problems with applications not working without write access to certain
> folders (including the Windows folders). I wanted to set the permissions
> on
> several machines at once so I put them all in an Organizational Unit,
> applied
> my Group Policy, and rebooted the machines. They took a long time to login
> (because it was setting the new NTFS permissions) but it worked. They
> logged
> in again and it was normal speed. Now for the problem.
>
> Every so often when someone logs on to one of these machines it will take
> a
> long time to logon. This doesn't happen all the time, just occasionally.
> I'm
> assuming the cached settings on the machine need to be updated from the
> domain so it reapplies the settings, thus reapplying the new NTFS
> permissions.
>
> Is there another Group Policy setting that will override this? If I move
> these machines to a different OU without File System Security Settings
> will
> it keep the settings applied by my GPO even though it's no longer being
> applied? Is there a better way to set a bunch of NTFS permissions on
> remote
> machines?



Similar ThreadsPosted
Slow logon with smart card November 30, 2005, 1:35 pm
System freezing and slow October 23, 2007, 10:21 pm
setting logon details August 18, 2006, 3:49 am
RE: Setting up home file sharing over ethernet June 21, 2006, 10:55 am
Security Setting May 12, 2007, 2:07 am
System Restore File is a PUP August 1, 2006, 2:05 am
Undeletable and Resuscitator file in system January 17, 2006, 2:34 pm
Security Setting on Domain Controllers November 3, 2008, 3:56 pm
How can a graphic file get full system control? November 11, 2005, 6:34 pm
Possible to track user's file system usage? March 20, 2006, 11:44 am

The site map in XML format XML site map

Contact Us | Privacy Policy