LCiaccio
asked on
I want to prevent users from saving anywhere but my documents folder.
Windows 2000 envirnment, can i use GPO's to set this up through out the network or do i have to set folder permissions on each machine seperately
How can I setup i group policy so that the user can not save anywhere to disk just to my documents?
How can I setup i group policy so that the user can not save anywhere to disk just to my documents?
ASKER
This answer is good but i would also need to know what folders on the system drive the user whould need write access to.
R, that is dangerous as a logged on user performing normal operations may very well be writing to temporary files and configuration files. We found this out by accident one day and almost locked ourselves completely out of the drive.
I believe a better solution would be to redirect the My Documents to a network share and then use Group Policy to "Hide" the C drive.
I believe a better solution would be to redirect the My Documents to a network share and then use Group Policy to "Hide" the C drive.
In reality, it really depends on you.
A user could potentialy run a computer with READ ONLY permissions on NTFS .... and save his work to a shared network folder.
As long as SYSTEM user has FullControl over the computer, any file created for temp reasons like the Pagefile for example, wouldn't have a problem in being created.
A user could potentialy run a computer with READ ONLY permissions on NTFS .... and save his work to a shared network folder.
As long as SYSTEM user has FullControl over the computer, any file created for temp reasons like the Pagefile for example, wouldn't have a problem in being created.
ASKER
Sam,
does hidding the c drive prevent access to my documents inside the user profile?
does hidding the c drive prevent access to my documents inside the user profile?
If you redirect, then they are saved to the network and if they look for the C drive, it "won't" exist. It still Says My Documents, but it is actually on the server.
Properly designed Windows XP software won't have any problems, becuase they use the Documents and Settings folder. But sam is right in that a lot of programs aren't properly designed. At a minimum, you'd want the various temp directories to have have user RW (C:\temp, and C:\windows\temp). After that, you'd need to go through the list of 3rd party software that's installed on the computer, and make sure each one works.
I'm not personally a big fan of the "hide the C drive"...it can cause some odd behavior in programs that just assume that the C drive exists.
I'm not personally a big fan of the "hide the C drive"...it can cause some odd behavior in programs that just assume that the C drive exists.
>>>Well, you could create a GPO object and assign it to all the comptuers, and add an entry into the "File System Security" to modify the security.
First of all..........users, by default, have READ permission on System Drive (C drive) and then can't save anything on it. So then can read.
You should do a proper planning to implement this setting on your network because user will use applications the application need to save on Temp Drive.
So for hiding all drives and restricting users to save anything on C D E F and so on but let them save their documents to My Documents folder you should do a proper planning in this way: -
First let me know how many drives you have on each workstation ?
On how many users you want to implement this setting ?
First of all Redirecting My Document folder is the not the solution...configure users property for Home Folder including their My Documents. So you will do the following things: -
1. You will configure Group Policy to configure to hide C drive. (if it is not a system drive then you can hide....if it is a system drive then do not hide it).
2. You will configure User's Property for Home Folder (and then running a script to point their My Documents folder location to Home Folder you created (I assume it is F: Data drive for their use only.).
3. Then you will configure a script (using Group Policy to process this script) to set the permission on drives (other than System Drive).
NOTE : You do not need to give permission to Home Folder for users because by default they have enough permissions to save anything on it.
Let me know.
Thanks
SystmProg
First of all..........users, by default, have READ permission on System Drive (C drive) and then can't save anything on it. So then can read.
You should do a proper planning to implement this setting on your network because user will use applications the application need to save on Temp Drive.
So for hiding all drives and restricting users to save anything on C D E F and so on but let them save their documents to My Documents folder you should do a proper planning in this way: -
First let me know how many drives you have on each workstation ?
On how many users you want to implement this setting ?
First of all Redirecting My Document folder is the not the solution...configure users property for Home Folder including their My Documents. So you will do the following things: -
1. You will configure Group Policy to configure to hide C drive. (if it is not a system drive then you can hide....if it is a system drive then do not hide it).
2. You will configure User's Property for Home Folder (and then running a script to point their My Documents folder location to Home Folder you created (I assume it is F: Data drive for their use only.).
3. Then you will configure a script (using Group Policy to process this script) to set the permission on drives (other than System Drive).
NOTE : You do not need to give permission to Home Folder for users because by default they have enough permissions to save anything on it.
Let me know.
Thanks
SystmProg
ASKER
why cant i hide the system drive..... if i hide c: (system drive)
I can browse to c:\ just cant view it in my computer....is this right and what is the purpose if i can just go start->run->c:\
I can browse to c:\ just cant view it in my computer....is this right and what is the purpose if i can just go start->run->c:\
>>>why cant i hide the system drive..... if i hide c: (system drive)
I can browse to c:\ just cant view it in my computer....is this right and what is the purpose if i can just go start->run->c:\
Yes...you are correct.....but as i said...by default, users don't have rights to save anything on System Drive. So you do not need to hide this drive. If you want to hide it completely....then you should not beause its a system drive is needed for system to function properly. There are many ways to hide this drive using utilities called XOSL (Xtended Operating System Loader or booter, Ptedit, Partition Magic....
And about Group Policy hinding....it has clearly written and explained by M$ that it will prevent users from seeing in Windows Explorer and My Computer.
What is your exact requirement ?
Please let us know.
Thanks
SystmProg
I can browse to c:\ just cant view it in my computer....is this right and what is the purpose if i can just go start->run->c:\
Yes...you are correct.....but as i said...by default, users don't have rights to save anything on System Drive. So you do not need to hide this drive. If you want to hide it completely....then you should not beause its a system drive is needed for system to function properly. There are many ways to hide this drive using utilities called XOSL (Xtended Operating System Loader or booter, Ptedit, Partition Magic....
And about Group Policy hinding....it has clearly written and explained by M$ that it will prevent users from seeing in Windows Explorer and My Computer.
What is your exact requirement ?
Please let us know.
Thanks
SystmProg
Kiss Method.
ASKER
ultimate goal is to not let the user do anything to thieir computer.
ASKER
Is it true that under normal conditions users will only need r/w accress on the <SYSTEMDRIVE?\WINNT\TEMP folder and Documents & Settings Folder....Anything else?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thanks!
In the GPO, go to Computer Configuration ->Windows Settings -> Security Settings -> File System
Right click in the right hand window pane, and click "Add File". Select the C drive, and click okay. Now adjust the permissions (presumable to deny write privilage to normal users) and ensure that inheritance is turned on.
Repeat to add the "documents and settings" folder, and adjust those settigns to allow the users back in (probably with creator/owner).
You might have to play around a bit ... I think that the users need r/w to the spool directory as well...its been a while. As with any changes, test thoroughly before deploying!