Re: how can I stop user deleting important files

Bharat wrote: 
Thanks I'll give it a go.

Just tried this at home on an XP Pro PC (no Windows Server in the mix)
Setup a new User "Test" with USER privileges only..

Guess what - I can delete BOOT.INI and NTLDR etc whilst logged in as TEST
boy I need to investigate this a bit more


"MCSEGURU" <mcseguruhere@xxxxxxx> wrote in message
news:OmRxs$cvFHA.4032@xxxxxxxxxxxxxxxxxxxxxxx

Unless your default NTFS Permissions on your PC are jacked, Domain Users
shouldn't have access to modify or local system files on their PC.  Are
you
sure they aren't members of their PC's Administrators group. Even though
you
have given them de-elivated permissions from the SBS Domain Directory,
that 
doesn't necessarily override their permissions on their local PC's.

If it may be that they are elevated on the local PC's as a result of
Administrator group memberships, try enforcing restricted "Administrators"
to the Local PC's using Group Policies.

In Server Manager, Advanced Management, Group Policy Management, Your
Forest, Your Domain, Your Domain.local, Default Domain Policy (right click
and select Edit), Computer Settings, Windows Settings, Security Settings,
Restricted Groups, Add Group, Administrators, Add Users... etc...

Make sense?  This will propagate specific users to be members of the
Administrators Group on your domain member computers.



"Bharat" <bharat@xxxxxxxxxxxx> wrote in message
news:utTDrtcvFHA.252@xxxxxxxxxxxxxxxxxxxxxxx

Setting up user as USER - still allows them to delete

NTLDR
BOOT.INI
etc.....





So something is wrong. You can resort though to the group policy, assuming you have dealt with policies before. May I suggest that you create a test directory on at least one target machine. Create a directory called test on a test machine, and create one on yours. Open Computer configuration > Windows Settings > Security settings > file System. Add a directory or a file that you would like to protect and assign the permissions when prompted. Make sure that the user belongs to the organizational group your assigning the policy to, and if you will, you create a test one too. Once you put the policy in place, either log the user on and off, or simply execute GPUPDATE on his machine and test it. I use this area company wide to allow specific users deleting accounting log files and allow only managers to delete by looping policies.
Let us know how goes it.

--
Dana
http://www.woodcontour.com
Solid wood and stone PC Peripherals
.

Relevant Pages

  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO vs. LGPO settings in Security Options
    ... the names of the settings have evolved with the operating system. ... Windows Platform Support Team ... > 'Security Options', these settings are do not come from an ADM-template ... > By starting Local Security Policy on an XP workstation, ...
    (microsoft.public.win2000.group_policy)
  • Group Policy Case Solved
    ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
    (microsoft.public.win2000.security)
  • Re: XP SP2 GPOs missing???
    ... Windows Platform Support Team ... > This section is relevant to the "Windows Firewall: ... > exceptions (Computer Policy)" and "Windows Firewall: ... > settings from being modified on a Windows 2000-based client computer. ...
    (microsoft.public.windows.group_policy)
  • Re: Exchange 07 Managed Folders Fiasco
    ... How to apply different Managed Content Settings to Default ... Restricting Messaging Records Management to a particular message type ... So lets say I want to delete emails in the Junk folder of all my users ... Folder Mailbox Policy ...
    (microsoft.public.exchange.admin)