Re: Restrict writing to C:
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 10 Oct 2006 07:48:46 -0700
You did not indicate your OS version.
If XP then notice that in a default install, on the root of C: there
are two special grants to Users
Create Folders / Append Data for This folder and subfolders
Create Files / Write Data for Subfolders
These two allow Users members to originate new folders.
The grant to Creator Owner then takes over and grants
Full control to the originating account
If you further check a default, fresh install you would see
that most folders under the root have explicit permissions
set on them (they do not inherit from the root).
So, if you remove the two special permissions from the root,
and do this very carefully so that it does not cause propagation
to the substructure but leaves all the new inheritance points as is,
then you will have accomplished your objective. Users members
would still have correct access to their profiles and to the temp
areas in the %windir% (and yes they could save to there) but
they would no longer be able to originate new folders under C:
You can accomplish that objective with a security template that
sets this in the File system area. Be sure to test carefully as it is
easily possible to define this incorrectly and replace permissions
on the substructure, wiping out the as-installed inheritance points
(which you should not do).
Roger
"jason" <jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:51F67CA0-A7C1-4F62-8037-5794B1F8DE54@xxxxxxxxxxxxxxxx
Yes- The users do not have Admin rights on the computer. I thought there
was
a way to direct them to only thier home directory and Lock everything else
down. I understand that they need write access to thier local profile
however we can clean this up with a logoff script.
Any other suggestions?
Thanks
Jason
"Gerry Hickman" wrote:
Hi,
Are we talking about users that don't have Admin rights?
On Win2k the root of the C drive has inheritable permissions that are
Everyone:F, if this was changed at the root, it would probably prevent
new
folders being created under the root. Documents and Settings is a
different
beast, because the user will have write access to their profile.
We replace our workstations every three years, and since using Win2k with
non-Admin rights, I find the machines are almost as clean on the day we
recycle them as on the day they were built (in terms of what's on the C
drive).
--
Gerry Hickman - (London UK)
"jason" <jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7A60F91-B934-478F-9BC7-C1374E7F8D68@xxxxxxxxxxxxxxxx
I would like to restrict users from downloading applications or filesrestrictions
and
saveing them to the local machine. They are restricted from saving and
installing non .exe and .msi files into C:\Program FIles due to
however they can change the network path to direct to C:\applicationand
name
can install there. When I try to restrict access to C: I get errors allog
in. (C: is also hidden from My Computer)directory.
Ideally I would like them to only be able to save into their home
Is there a group policy to do this?
Thanks
.
- References:
- Re: Restrict writing to C:
- From: Gerry Hickman
- Re: Restrict writing to C:
- Prev by Date: Re: Time Synchronisation - Windows XP - 2003 Domain
- Next by Date: Re: Time Synchronisation - Windows XP - 2003 Domain
- Previous by thread: Re: Restrict writing to C:
- Next by thread: Policy DEnied - Empty
- Index(es):
Relevant Pages
|
