?
Solved

Locking down "My Documents" folders per profile

Posted on 2003-03-09
8
Medium Priority
?
216 Views
Last Modified: 2013-12-04
Hi all-

I'm interested to know how one goes about locking down each user so that only the logged in user can see their own data under "Documents and settings."  I, as the admin on the local machine, still want to be able to shuffle data around gracefully if need be, but I'd like the user's locked down more tightly.

Do I need to create a special profile for these kinds of users?  Currently permissions for users are not pushed down from the Server side of things and I lock people down locally as either the default "Admin," "Power User" or "User."  How does one go about creating customized permissions settings?  

Any help or directions to other resources would be greatly appreciated.

Thanks much-

Lee
0
Comment
Question by:infiniteposse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 3

Expert Comment

by:Flash828
ID: 8099974
As long as they are users then it should be the default to do that.  At least thats the way it is on my XP machine.... Have you tried to access someone elses home directory as a user and succeeded?
0
 

Expert Comment

by:WinXPFixR
ID: 8105057
Just take away the "read" and "list contents of directory" from everyone.  Dont deny, just uncheck allow for everyone.

Hope this helps.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:infiniteposse
ID: 8106080
Hi WinXPFixR-

Where do I get to these settings?  Group Policy manager?  Are these settings specific to the "Documents and settings" folders?

Thanks much-

Lee
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8106190
You right click on the users directory in Documents and settings folder, then go to security.  That is where you set permissions for users for all the files below the users directory.  These options will only exist if you are using NTFS... and again, should be the default.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
ID: 8115108
Do the following on the workstations with NTFS:
1. RightClick C:\Documents And Settings\LoginName
2. Choose Properties / Security
3. Don't remove Local Administrators, SYSTEM, and the Domain Users
4. Remove anything else

BUT forget all about NTFS for members of the Local Admin Group, as You stated in Your question: as either the default "Admin," "Power User" or "User."  

And forget about it, if You have Domain User Groups in the Local Admin Group, because ....


PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.

And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:

http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

0
 

Expert Comment

by:CleanupPing
ID: 9070759
infiniteposse:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10854551
:o) Glad I could help you - thank you for the points
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question