hi, I am giving a user permissions to folder program files using group policy, I see the program files folder also has trusted installer group with permissions to this folder. when the group policy gets applied the trusted installer gets removed from the permissions lists. (since I can add all users to permission list in group policy except trusted installer hence it get removed) three questions: 1. How can I add trusted installer group permission back to the program files folder. (i cant find the group) 2. is there a way I can add trusted installer group using group policy. 3. what if I leave it as it is with trusted installer group not in the permissions list to the program files folder I know this question is mix of group policy and permissions question but my main concern is permission and impact of removal of the trusted inatller group. thanks cbcbcbcb

This has risen some questions previously. I have found the reference that may give you some advice not to fidddle with this group: http://social.technet.microsoft.com/Forums/en-ZA/winserversecurity/thread/b4ac3feb-8009-4f14-af93-337f948cec3e

Hi, Thank you for your post. Reply your questions: 3. TrustedINstaller group(Windows Resource Protection) prevents the replacement of essential system files, folders, and registry keys that are installed as part of the operating system. So no impact for your change the folder permission. 1. Input "NT SERVICE\TrustedInstaller" to find the group refer to this blog. 2. You could apply GPO to folder owned by administrators not trustedinstaller, please read this thread. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan

Hi, Thank you for your post. Reply your questions: 1. Input "NT SERVICE\TrustedInstaller" to find the group refer to this blog. 2. You could apply GPO to folder owned by administrators not trustedinstaller, please read this thread. 3. TrustedINstaller group(Windows Resource Protection) prevents the replacement of essential system files, folders, and registry keys that are installed as part of the operating system. Because you grant permission to All Users, it's fine to leave TrustedInstaller removed. However, as Milos mentioned, if it is possible, we should not fiddle this grup. If there are more inquiries on this issue, please feel free to let us know. Regards, Rick Tan