• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 219
  • Last Modified:

Locking down "My Documents" folders per profile

Hi all-

I'm interested to know how one goes about locking down each user so that only the logged in user can see their own data under "Documents and settings."  I, as the admin on the local machine, still want to be able to shuffle data around gracefully if need be, but I'd like the user's locked down more tightly.

Do I need to create a special profile for these kinds of users?  Currently permissions for users are not pushed down from the Server side of things and I lock people down locally as either the default "Admin," "Power User" or "User."  How does one go about creating customized permissions settings?  

Any help or directions to other resources would be greatly appreciated.

Thanks much-

Lee
0
infiniteposse
Asked:
infiniteposse
1 Solution
 
Flash828Commented:
As long as they are users then it should be the default to do that.  At least thats the way it is on my XP machine.... Have you tried to access someone elses home directory as a user and succeeded?
0
 
WinXPFixRCommented:
Just take away the "read" and "list contents of directory" from everyone.  Dont deny, just uncheck allow for everyone.

Hope this helps.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
infiniteposseAuthor Commented:
Hi WinXPFixR-

Where do I get to these settings?  Group Policy manager?  Are these settings specific to the "Documents and settings" folders?

Thanks much-

Lee
0
 
Flash828Commented:
You right click on the users directory in Documents and settings folder, then go to security.  That is where you set permissions for users for all the files below the users directory.  These options will only exist if you are using NTFS... and again, should be the default.
0
 
trywaredkCommented:
Do the following on the workstations with NTFS:
1. RightClick C:\Documents And Settings\LoginName
2. Choose Properties / Security
3. Don't remove Local Administrators, SYSTEM, and the Domain Users
4. Remove anything else

BUT forget all about NTFS for members of the Local Admin Group, as You stated in Your question: as either the default "Admin," "Power User" or "User."  

And forget about it, if You have Domain User Groups in the Local Admin Group, because ....


PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.

And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:

http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

0
 
CleanupPingCommented:
infiniteposse:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
trywaredkCommented:
:o) Glad I could help you - thank you for the points
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now