Prevent users from viewing hidden files and accessing other users "My Document" folders.
This is a 2 part question.
Currently running Windows SBS 2003.
PART 1:
Users can very easily view "hidden files" by going to TOOLS > FOLDER OPTIONS > VIEW > SHOW HIDDEN FILES AND FOLDERS.
Is there a way I can create a security policy or some other way of preventing normal users from being able to do this? Bottom line is I do not want users on my network to be able to view hidden files unless they are an administrator.
PART2:
Our "My Document" folders are set up to store/sync on our domain controller rather than the local pc; this creates an issue of security as any network user can browse to the domain controller and view other users "My Document" folders.
Is it possible to continue to have the users "My Document" folder synced/stored on the domain controller but prevent other users from being able to browse to the domain controller and essentially browse into other users "My Document" folders?
Currently running Windows SBS 2003.
PART 1:
Users can very easily view "hidden files" by going to TOOLS > FOLDER OPTIONS > VIEW > SHOW HIDDEN FILES AND FOLDERS.
Is there a way I can create a security policy or some other way of preventing normal users from being able to do this? Bottom line is I do not want users on my network to be able to view hidden files unless they are an administrator.
PART2:
Our "My Document" folders are set up to store/sync on our domain controller rather than the local pc; this creates an issue of security as any network user can browse to the domain controller and view other users "My Document" folders.
Is it possible to continue to have the users "My Document" folder synced/stored on the domain controller but prevent other users from being able to browse to the domain controller and essentially browse into other users "My Document" folders?
just a note about hidden files. Setting a file as 'hidden' is NOT a good way to set security. You need to use NTFS security rights (what you see on the security tab on a file/folder's property page).
ASKER
We do use roaming profiles.
isn't there a way to create a policy to remove the folder options menu item from the tools menu? If someone could break down where I can find and set this policy that should remedy Part 1.
As for Part 2, I will check and see if it is as simple as only allowing the user and admins to access the "My Documents" folders.
isn't there a way to create a policy to remove the folder options menu item from the tools menu? If someone could break down where I can find and set this policy that should remedy Part 1.
As for Part 2, I will check and see if it is as simple as only allowing the user and admins to access the "My Documents" folders.
>>We do use roaming profiles
then explain what 'synching' is going on then.
>>I will check and see if it is as simple as only allowing the user and admins to access the "My >>Documents" folders
It is,, if the other users didn't have rights to those folders, then they wouldn't be able to get into them.
then explain what 'synching' is going on then.
>>I will check and see if it is as simple as only allowing the user and admins to access the "My >>Documents" folders
It is,, if the other users didn't have rights to those folders, then they wouldn't be able to get into them.
In a GPO you can use the setting - "User Configuration\Administrati
As Mike has been saying though Hidden Files have nothing to do with secutiry really, they're more there to stop somebdoy accidentally messing with a file they shouldn't. NTFS permissions are what you use for security.
Again as Mike said for the My Documents folders you need to set the permissions on each folder such that only the user and administrators have access. This is fairly easy to do, if you can just give us an idea of how the My Documents are stored on the server? Right click on the My Documents folder on one of the client's PC and select Properties; what is in the Target field on that PC?
As Mike has been saying though Hidden Files have nothing to do with secutiry really, they're more there to stop somebdoy accidentally messing with a file they shouldn't. NTFS permissions are what you use for security.
Again as Mike said for the My Documents folders you need to set the permissions on each folder such that only the user and administrators have access. This is fairly easy to do, if you can just give us an idea of how the My Documents are stored on the server? Right click on the My Documents folder on one of the client's PC and select Properties; what is in the Target field on that PC?
The key points to the questions have been addressed. I would like to elaborate though:
Hiding a file is usless. That's an old school method before file permissions were invented.
For your users' "My Documents" folders: You don't really need to use roaming profiles unless you have users logging onto multiple computers. You can create a GPO for "Folder Redirection" and redirect their "My Documents" to their home directory on the server. ......... You will need to set the permissions on their home directory to allow them exclusive access; though this can easily be done when creating new user accounts using \\servername\sharename\%us
Hiding a file is usless. That's an old school method before file permissions were invented.
For your users' "My Documents" folders: You don't really need to use roaming profiles unless you have users logging onto multiple computers. You can create a GPO for "Folder Redirection" and redirect their "My Documents" to their home directory on the server. ......... You will need to set the permissions on their home directory to allow them exclusive access; though this can easily be done when creating new user accounts using \\servername\sharename\%us
ASKER
As far as the "My Documents" folders are concerned:
The target field looks something like this: \\DC\Users\drotkopf\My Documents
The Security > Group or Usernames look like:
Creator Owner
Domain Admins
Folder Operators
drotkopf
System
My personal "Member Of" groups are:
Domain Power Users
Domain Users
Mobile Users
Remote Web Workplace Users
SupportGroup
Technology Integrators
*The last 2 being distribution groups.
As you can see I'm not an admin yet I can still browse to the DC and open other Users "My Document" folders even though I am also NOT in their "Security > Group or Usernames".
It would not seem as easy as just putting the persons username that should have access to the doc folder, because it is currently set up that way; but everyone still has access.
Would it be because I am a power user?
The target field looks something like this: \\DC\Users\drotkopf\My Documents
The Security > Group or Usernames look like:
Creator Owner
Domain Admins
Folder Operators
drotkopf
System
My personal "Member Of" groups are:
Domain Power Users
Domain Users
Mobile Users
Remote Web Workplace Users
SupportGroup
Technology Integrators
*The last 2 being distribution groups.
As you can see I'm not an admin yet I can still browse to the DC and open other Users "My Document" folders even though I am also NOT in their "Security > Group or Usernames".
It would not seem as easy as just putting the persons username that should have access to the doc folder, because it is currently set up that way; but everyone still has access.
Would it be because I am a power user?
ASKER
Anyone able to provide some more insight on this?
ASKER
>>isn't there a way to create a policy to remove the folder options menu item from the tools menu? If someone could break down where I can find and set this policy that should remedy Part 1.
>>Start > Run > type in gpedit.msc > OK > User Configuration, Administrative Templates, Windows Components, Windows Explorer > double-click Removes the Folder Options menu item from the Tools menu from the right panel > Select Enabled > OK
I know this can be done on the local machine level... is there anyway to do this on the network level so I wouldn't have to manually set this on each machine?
>>Start > Run > type in gpedit.msc > OK > User Configuration, Administrative Templates, Windows Components, Windows Explorer > double-click Removes the Folder Options menu item from the Tools menu from the right panel > Select Enabled > OK
I know this can be done on the local machine level... is there anyway to do this on the network level so I wouldn't have to manually set this on each machine?
The Domain Power Users group is a member of the Folder Operators group, hence if Folder Operators have access to every folder then members of the Domain Power Users group will also. I would remove Folder Operators from each users' folder, there's no need for it to be there really.
On the Group Policy thing - Yes this can absolutely be done on the network level, using Group Policy. In "Active Directory Users and Computers" you can right click on most folders (known as Organisational Units, OUs), select Properties, then select the Group Policy tab. Note depending on your version of Windows and which folder you choose the option may not be there.
Ideally you will want an OU (or folder) with all your users in it, then right click, select Properties, Group Policy tab, Add a new GPO and set the setting I gave above to Enabled. Now all users in the OU will have this applied. Obviously you won't want Administrator in there. Note you can't do this to the default Users folder where users go as it is not a "proper" OU and can't have Group Policys applied to it.
You can get more fancy (and a lot more powerful) by using permissions on GPOs to affect who the settings apply to but it's a bit more complex, so I suggest you try it out with OUs first, then progress if necessary. An example of what you might do with permissions is to leave users in the folders they're in now, create a GPO at the top domain level to enforce this setting, create a group called "Do not block access to Folder Options" and make Administrator and yourself members, then set permissions on the GPO such that all users can "Apply Policy" but the "Do not block access to Folder Options" group is Denied permission to "Apply Policy". A few double negatives in there, but the upshot is everybody is blocked access to their Folder Options except members of the group you made...
On the Group Policy thing - Yes this can absolutely be done on the network level, using Group Policy. In "Active Directory Users and Computers" you can right click on most folders (known as Organisational Units, OUs), select Properties, then select the Group Policy tab. Note depending on your version of Windows and which folder you choose the option may not be there.
Ideally you will want an OU (or folder) with all your users in it, then right click, select Properties, Group Policy tab, Add a new GPO and set the setting I gave above to Enabled. Now all users in the OU will have this applied. Obviously you won't want Administrator in there. Note you can't do this to the default Users folder where users go as it is not a "proper" OU and can't have Group Policys applied to it.
You can get more fancy (and a lot more powerful) by using permissions on GPOs to affect who the settings apply to but it's a bit more complex, so I suggest you try it out with OUs first, then progress if necessary. An example of what you might do with permissions is to leave users in the folders they're in now, create a GPO at the top domain level to enforce this setting, create a group called "Do not block access to Folder Options" and make Administrator and yourself members, then set permissions on the GPO such that all users can "Apply Policy" but the "Do not block access to Folder Options" group is Denied permission to "Apply Policy". A few double negatives in there, but the upshot is everybody is blocked access to their Folder Options except members of the group you made...
ASKER
Zenith63
Thanks for the explanation on the Domain Power Users and the "My Documents" folders. I did what you suggested and that worked perfectly! The users can only access their My Document folder and noone elses.
Now as far as removing the folder options menu item from the tools menu; I don't have much experience creating GPO's at all; all I can tell you is that we run Windows Small Business Server 2003 and our users are stored in ACTIVE DIRECTORY USERS and COMPUTERS > DOMAIN.LOCAL > MY BUSINESS > USERS > SBS USERS. Everyone from Administrators, Power Users, Mobile Users and Users are kept in this "folder".
Ultimately I would like to keep everyone here, and create a policy for removing the folder options menu from the tools menu as well as a group for "Do not block access to the Folder Options Menu" and have the policy apply to every user for the exception of the users that are members of the "Do not block access to the Folder Options Menu" group.
Any chance at having you break down that process for me step by step?
Thanks again for the help with the "My Documents" issue.
Thanks for the explanation on the Domain Power Users and the "My Documents" folders. I did what you suggested and that worked perfectly! The users can only access their My Document folder and noone elses.
Now as far as removing the folder options menu item from the tools menu; I don't have much experience creating GPO's at all; all I can tell you is that we run Windows Small Business Server 2003 and our users are stored in ACTIVE DIRECTORY USERS and COMPUTERS > DOMAIN.LOCAL > MY BUSINESS > USERS > SBS USERS. Everyone from Administrators, Power Users, Mobile Users and Users are kept in this "folder".
Ultimately I would like to keep everyone here, and create a policy for removing the folder options menu from the tools menu as well as a group for "Do not block access to the Folder Options Menu" and have the policy apply to every user for the exception of the users that are members of the "Do not block access to the Folder Options Menu" group.
Any chance at having you break down that process for me step by step?
Thanks again for the help with the "My Documents" issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Part 2. It sounds like your file share on your DC where your users folders/files are has basically no security on it. Solution: Set each of their folders so that only the user, the admin and any backup account has access to it. This may require removing inherited permissions if the users are getting these permissions from the folder above.
>>Is it possible to continue to have the users "My Document" folder synced/stored
abolutely.
do you have roaming profiles? b/c the only time any syching should be going on is if you are using roaming profiles (or if you have offline files setup, but that is designed for laptops).
Your users 'my documents' folder should be pointed DIRECTLY to the file server (thus no synching) preferribly through folder redirection.