I set AD group policy to copy some .LNK shortcut files from a network share to users' individual desktops, with a user-level group policy setting. Errors 0x80070005 were produced by each copy, as seen in gpresult. I did research, and gave read-only access for the whole network share, to Authenticated Users. This made the copy work. But it's not acceptable to leave it this way, the share should not be readable by all authenticated users. To what do I give read-only access, so this works but with correct security? I imagine Domain Computers is just as bad?
But it's not acceptable to leave it this way, the share should not be readable by all authenticated users.
User policies more or less run in the users context with the user permissions. The user must be able to read files to copy them. So I don't believe what you are asking is possible.
Perhaps you should create another share where these shortcuts can be stored? Or put them on sysvol/netlogon?
Or if these shortcuts are only being added to a small subset of users, then grant read permissions for that subset on the share/files?
You should have some authentication / restrictions on the .lnk destination URL's or shares. This way having read access to the share containing those .lnk files alone wouldn't matter. If the share contains something else, you could create another share.
Another option is to create a new security group for all the users this policy is applied to and give the read only access to that group. The main problem with this on large environments is that now you need to maintain both the OU and the security group.
User contributions licensed under CC BY-SA 3.0