When root data folders are provisioned consistently, Group Policy can be leveraged to manage
and enforce the ACLs on those folders. The following steps show how this is done:

1. Create a Group Policy object (GPO) scoped to your file servers. Name the GPO according
to your naming conventions—for example, GPO_File Server Configuration.

2. Open the GPO in the Group Policy Management Editor (which is called the Group Policy Object Editor in Windows Server 2003).

3. Navigate to Computer Configuration, Windows Settings, Security Settings, File System.

4. Right-click File System and choose Add File Note that the Add File command allows you to manage files or folders.

5. In the Folder box, type the path to the root data folder as it exists on the local volumes of the file server or servers that will be managed by the GPO—for example, E:\Data. Note that you can type the path—the folder does not have to exist on the system from which you are editing the GPO.

6. Click OK.

7. The Database Security dialog box opens, as shown in Figure. This dialog box is equivalent to the Security tab of the Properties dialog box for a folder. Use it to configure the appropriate ACL for the specified root data folder. Be particularly careful to manage the inheritance flags of ACEs in this ACL



8. Click OK to close the Database Security dialog box.

9. In the Add Object dialog box, select Configure This File or Folder Then and select Propagate
Inheritable Permissions to All Subfolders And Files. If, in fact, all subfolders and files should contain an ACL identical to that of the root data folder, select Replace Existing Permissions On All Subfolders And Files With Inheritable Permissions.

10. Click OK.

The GPO will now enforce the specified ACL for any system that is within the scope of the ACL and contains a folder matching the specified path. Because File System policy settings are applied by the Security Configuration Engine (SCE) extension, those settings will be reapplied every 16 hours, by default, even if the GPO has not changed. Therefore, if an administrator modifies the folder’s ACL directly on the server, the ACL will be reset to the specified configuration, on average, within eight hours.