Re: Hide Hard Drives from Other Users

You can do it by denying the System account permissions on usbstor.inf and usbstor.pnf when she logs on. When you log on you reverse the restrictions and allow the System account permissions on the files. You can use the CACLS command in a batch file to accomplish this. At this time my plan is only "half baked" ;-) and I don't have a USB drive to test this on so you will have to do some tinkering, but it would go something like this:

To deny:

cacls %systemroot%\inf\usbstor.inf /e /p system:n
cacls %systemroot%\inf\usbstor.pnf /e /p system:n


To allow:

cacls %systemroot%\inf\usbstor.inf /e /p system:f
cacls %systemroot%\inf\usbstor.pnf /e /p system:f


You can make a little batch files with these two little command lines and then have a logon script process the batch file for each respective users and the desired permissions will be applied when the users log on.

As I said, "the plan is only half baked" so you may have to adjust the oven temperature. If the cake flops we may have to adjust the recipe and add more baking powder. Let us know how you make out with it and if it works.

Oh, I almost forgot, to check permissions use the cacls command as follows:

cacls %systemroot%\inf\usbstor.inf

change the file name accordingly when verifying the file permissions.


Permissions enabled it will look like this (note the NT AUTHORITY\SYSTEM permissions :F ):

C:\>cacls %systemroot%\inf\usbstor.inf
C:\WINDOWS\inf\usbstor.inf BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F


C:\>cacls %systemroot%\inf\usbstor.pnf
C:\WINDOWS\inf\usbstor.PNF NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F


Permissions denied it will look like this (note the NT AUTHORITY\SYSTEM permissions :N):

C:\>cacls %systemroot%\inf\usbstor.inf
C:\WINDOWS\inf\usbstor.inf NT AUTHORITY\SYSTEM:N
BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F


C:\>cacls %systemroot%\inf\usbstor.pnf
C:\WINDOWS\inf\usbstor.PNF NT AUTHORITY\SYSTEM:N
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F

See here for more information on CACLS: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cacls.mspx?mfr=true

Once again, let me know if it works.

John

Tango T wrote:

XP Home edition. I have my admin account and my daughter has her user account. She can't get into admin My Documents but she can get into my USB external drive with all my work documents. Is there a way to hide/deny her access to my USB drive but still give me access just in case I forget to unplug the drive?

Tango


.

Relevant Pages

  • Re: Deleting shortcuts when they are for a C: program
    ... And we only have a name as a parameter so it should say Not Found or the permissions. ... > Displays or modifies access control lists of files ... CI - Container Inherit. ...
    (microsoft.public.windowsxp.general)
  • Re: Using cacls
    ... Jon, ... With Home you can also adjust permissions by ... rebooting into Safe mode. ... > I am using cacls because you suggested it in a previuos ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Permissions Batch File
    ... This can be done via a batch file. ... Use the CACLS or XCACLS command. ... > I have been given the task to create a folder structure and permissions on ...
    (microsoft.public.win2000.security)
  • Re: Cant delete mystery folders in C: drive
    ... Open a Command Prompt ... cacls EBCFBF~1\Update (to check the permissions) ... It seems that both of those oddly-named folders were directly ...
    (microsoft.public.windowsxp.general)
  • Re: MS09-010 960477 KB923561 FAILED on all Servers.
    ... Probably someone made a mistake either when applying the mitigation or removing it and accidentally zapped the Administrator permissions which should have remained unchanged. ... Warning Undo this workaround before installing this security update. ... echo y| cacls "%ProgramFiles%\Common Files\Microsoft ...
    (microsoft.public.windowsupdate)