3.3 Local File Rights Policy

The Local File Rights policy allows you to configure rights for files or folders that exist on the NTFS file systems.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, click New, then click Policy.

    or

    In the Policy Tasks, click New Policy.

    The Select Platform page is displayed.

  3. Select Windows, then click Next.

    The Select Policy Category page is displayed.

  4. Select Windows Configuration Policies, then click Next.

  5. Select Local File Rights Policy as the Policy Type, then click Next

  6. In the Define Details page fill in the following fields:

    Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.

    Folder: Type the name or browse to and select the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

    Administrator Notes: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.

  7. Click Next to display the Configure Basic Properties page, then use the options on the page to configure the attributes.

    The following table contains information about configuring a file or folder and the attributes associated with it:

    Field

    Details

    File / Folder Path

    Allows you to specify the complete path of a file or folder on the managed device. You can use the ZENworks system variables or environment variables to specify the path.

    To configure system variables in ZENworks Control Center, click the Configuration tab > the Device Management setting in the Management Zone Settings panel > System Variables. Click the Help button for details about configuring system variables.

    Notify if the file or folder does not exist

    When you select this option, a message is sent to the Primary Server. If a folder entered by the user is not present on the ZENworks Agent, then the policy fails to enforce on the managed device.

    If you de-select this option, even if a folder is not present on the ZENworks Agent, a message will not be sent to the Primary Server and the policy will be enforced successfully on the managed device.

    Attributes

    Allows you to specify the attributes of a file or folder, such as Read only and Hidden.

    This page allows you to configure permissions for only one file or folder. If you want to assign permissions to multiple files or folders, then configure them in the Details page after creating the policy.

  8. Click Next to display the Configure Permissions page, then use the options on the page to configure permissions for selected users or groups.

    The following table contains information about configuring permissions:

    Field

    Details

    Permission for Users or Groups

    Allows you to configure permissions for users or groups.

    1. Click Add, then Click User or Group to select a user or a group from the appropriate drop-down list.

    2. Select the type of permission you want to configure as Simple NTFS Permissions or All NTFS Permissions. Depending on the type of permission you select, a list of permissions are displayed. Configure the permissions as applicable to the selected user or group.

    3. By default, when a permission is set on a folder, all the subfolders and the files also inherit the permissions. If you want to restrict the inheritance of the rights to only the immediate child file or folder, select Restrict inheritance to immediate child files/folders only.

    4. Click OK.

    The permissions configured for the user or group in the Dynamic Local User policy takes precedence over the permissions configured in the Local File Rights policy.

    Create Groups on the Managed Device if they Do not Exist

    Creates a group for which permissions are configured; however the group does not exist on the managed device. With this option, you can create only local groups.

    Remove Access Control Rules not Configured by ZENworks

    Removes all access control entries for users or groups not configured by the ZENworks Local File Rights policy. Also, updates the existing access control entries for users and groups configured in the policy. After the policy is applied, any manual changes made to the permissions for a user or group configured by the policy are lost when the policy is re-applied.

    Inherit Applicable Access Rights Configured on Parent Folders

    Select Yes if you want a file or folder to inherit applicable access control rules from its parent object. If you select No, inherited rules are removed. If you do not want to make any changes, select not configured on the managed device.At least one attribute, permission, or inheritance setting must be configured to create a policy. Without configuring any settings, you cannot create a policy.

    NOTE:If the Full Control access right is denied for the Administrators or Authenticated Users group, the policy is successful only during the first enforcement. However, if the Full Control access right is denied for the Administrators or Authenticated Users group and the Remove access control rules not configured by ZENworks option is selected, the policy fails.

    The unenforcement of the Local File Rights policy from a device fails if the Full Control access right is denied for the Administrators or Authenticated Users group in the policy.

  9. Click Next to display the Summary page. Review the information and, if necessary, use the Back button to make changes to the information on the Summary page.

  10. (Conditional) Select Create as Sandbox, if you want to create the sandbox version of the policy.

  11. Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, system requirements, enforcement, status, and which group the policy is a member of.