Prevent users from viewing hidden files and accessing other users "My Document" folders.

Posted on 2007-07-31
Last Modified: 2013-12-04
This is a 2 part question.

Currently running Windows SBS 2003.

Users can very easily view "hidden files" by going to TOOLS > FOLDER OPTIONS > VIEW > SHOW HIDDEN FILES AND FOLDERS.

Is there a way I can create a security policy or some other way of preventing normal users from being able to do this?  Bottom line is I do not want users on my network to be able to view hidden files unless they are an administrator.

Our "My Document" folders are set up to store/sync on our domain controller rather than the local pc; this creates an issue of security as any network user can browse to the domain controller and view other users "My Document" folders.

Is it possible to continue to have the users "My Document" folder synced/stored on the domain controller but prevent other users from being able to browse to the domain controller and essentially browse into other users "My Document" folders?
Question by:drotkopf
    LVL 25

    Expert Comment

    Part 1. it sounds as though your users have 'local admin rights' of their own machine. Anyone that is a local admin can do whatever they want to that machine.  Solution, make them 'users' and not admins.

    Part 2.  It sounds like your file share on your DC where your users folders/files are has basically no security on it. Solution: Set each of their folders so that only the user, the admin and any backup account has access to it.  This may require removing inherited permissions if the users are getting these permissions from the folder above.

    >>Is it possible to continue to have the users "My Document" folder synced/stored

    do you have roaming profiles?  b/c the only time any syching should be going on is if you are using roaming profiles (or if you have offline files setup, but that is designed for laptops).
    Your users 'my documents' folder should be pointed DIRECTLY to the file server (thus no synching) preferribly through folder redirection.

    LVL 25

    Expert Comment

    just a note about hidden files.  Setting a file as 'hidden' is NOT a good way to set security.  You need to use NTFS security rights (what you see on the security tab on a file/folder's property page).


    Author Comment

    We do use roaming profiles.

    isn't there a way to create a policy to remove the folder options menu item from the tools menu?  If someone could break down where I can find and set this policy that should remedy Part 1.

    As for Part 2, I will check and see if it is as simple as only allowing the user and admins to access the "My Documents" folders.
    LVL 25

    Expert Comment

    >>We do use roaming profiles
    then explain what 'synching' is going on then.

    >>I will check and see if it is as simple as only allowing the user and admins to access the "My >>Documents" folders
    It is,, if the other users didn't have rights to those folders, then they wouldn't be able to get into them.

    LVL 11

    Expert Comment

    In a GPO you can use the setting - "User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove the Folder Options menu item from the Tools menu" to stop users getting to where they can change the Hidden Files option.  It doesn't look like you can be any more granular then that, or even to turn off hidden files if a user has them turned on.  You would need to create your own Group Policy template to achieve this, which probably isn't worth it.  Oh and you could aplly this to an OU only containing you users, not admins, or you could use security on the GPO to prevent Administrators applying the policy.

    As Mike has been saying though Hidden Files have nothing to do with secutiry really, they're more there to stop somebdoy accidentally messing with a file they shouldn't.  NTFS permissions are what you use for security.

    Again as Mike said for the My Documents folders you need to set the permissions on each folder such that only the user and administrators have access.  This is fairly easy to do, if you can just give us an idea of how the My Documents are stored on the server?  Right click on the My Documents folder on one of the client's PC and select Properties; what is in the Target field on that PC?
    LVL 5

    Expert Comment

    The key points to the questions have been addressed.  I would like to elaborate though:

    Hiding a file is usless.  That's an old school method before file permissions were invented.

    For your users' "My Documents" folders:  You don't really need to  use roaming profiles unless you have users logging onto multiple computers.  You can create a GPO for "Folder Redirection" and redirect their "My Documents" to their home directory on the server.  .........  You will need to set the permissions on their home directory to allow them exclusive access; though this can easily be done when creating new user accounts using \\servername\sharename\%username% on the profile page in AD users and computers.

    Author Comment

    As far as the "My Documents" folders are concerned:

    The target field looks something like this: \\DC\Users\drotkopf\My Documents

    The Security > Group or Usernames look like:

    Creator Owner
    Domain Admins
    Folder Operators

    My personal "Member Of" groups are:

    Domain Power Users
    Domain Users
    Mobile Users
    Remote Web Workplace Users
    Technology Integrators

    *The last 2 being distribution groups.

    As you can see I'm not an admin yet I can still browse to the DC and open other Users "My Document" folders even though I am also NOT in their "Security > Group or Usernames".

    It would not seem as easy as just putting the persons username that should have access to the doc folder, because it is currently set up that way; but everyone still has access.

    Would it be because I am a power user?

    Author Comment

    Anyone able to provide some more insight on this?

    Author Comment

    >>isn't there a way to create a policy to remove the folder options menu item from the tools menu?  If someone could break down where I can find and set this policy that should remedy Part 1.

    >>Start > Run > type in gpedit.msc > OK > User Configuration, Administrative Templates, Windows Components, Windows Explorer > double-click Removes the Folder Options menu item from the Tools menu from the right panel > Select Enabled > OK

    I know this can be done on the local machine level... is there anyway to do this on the network level so I wouldn't have to manually set this on each machine?

    LVL 11

    Expert Comment

    The Domain Power Users group is a member of the Folder Operators group, hence if Folder Operators have access to every folder then members of the Domain Power Users group will also.  I would remove Folder Operators from each users' folder, there's no need for it to be there really.

    On the Group Policy thing - Yes this can absolutely be done on the network level, using Group Policy.  In "Active Directory Users and Computers" you can right click on most folders (known as Organisational Units, OUs), select Properties, then select the Group Policy tab.  Note depending on your version of Windows and which folder you choose the option may not be there.
    Ideally you will want an OU (or folder) with all your users in it, then right click, select Properties, Group Policy tab, Add a new GPO and set the setting I gave above to Enabled.  Now all users in the OU will have this applied.  Obviously you won't want Administrator in there.  Note you can't do this to the default Users folder where users go as it is not a "proper" OU and can't have Group Policys applied to it.
    You can get more fancy (and a lot more powerful) by using permissions on GPOs to affect who the settings apply to but it's a bit more complex, so I suggest you try it out with OUs first, then progress if necessary.  An example of what you might do with permissions is to leave users in the folders they're in now, create a GPO at the top domain level to enforce this setting, create a group called "Do not block access to Folder Options" and make Administrator and yourself members, then set permissions on the GPO such that all users can "Apply Policy" but the "Do not block access to Folder Options" group is Denied permission to "Apply Policy".  A few double negatives in there, but the upshot is everybody is blocked access to their Folder Options except members of the group you made...

    Author Comment


    Thanks for the explanation on the Domain Power Users and the "My Documents" folders.  I did what you suggested and that worked perfectly!  The users can only access their My Document folder and noone elses.

    Now as far as removing the folder options menu item from the tools menu; I don't have much experience creating GPO's at all; all I can tell you is that we run Windows Small Business Server 2003 and our users are stored in ACTIVE DIRECTORY USERS and COMPUTERS > DOMAIN.LOCAL > MY BUSINESS > USERS > SBS USERS.  Everyone from Administrators, Power Users, Mobile Users and Users are kept in this "folder".
    Ultimately I would like to keep everyone here, and create a policy for removing the folder options menu from the tools menu as well as a group for "Do not block access to the Folder Options Menu" and have the policy apply to every user for the exception of the users that are members of the "Do not block access to the Folder Options Menu" group.

    Any chance at having you break down that process for me step by step?

    Thanks again for the help with the "My Documents" issue.
    LVL 11

    Accepted Solution

    - Create your "Do not block access to the Folder Options Menu" group and set any members you want.
    - Open Administrative Tools/Group Policy Management
    - Expand the tree until you come to your domain name, right click on it and select "Create and Link a GPO Here" then give it a descriptive name, like "Block access to folder options".
    - Now right click your "Block access to folder options" GPO on the list and select Edit.  You'll now be brought to the GPO Editor where you can set the policies you want (see my other post for the one you want).
    - When you've set the ones you want you can close the GPO Editor.
    - This GPO will now be in effect (may take 15 mins to propagate to clients) but by default will apply to all "Authenticated Users", eg. everybody!
    - So back at the Group Policy Management window select your "Block access to folder options" and in the right pane select the Delegation tab.
    - Click the Add button to add your "Do not block access to the Folder Options Menu" group.
    - When you've added this group it should be listed on the Delegation tab.  Select it and click the Advanced button.  At the bottom of the list of of permissions you'll see "Apply group policy" which is set to allow at the moment, change this to Deny and accept any warnings.  Leave all other permissions, if you remove Deny any of the other ones you may remove the Administrator's permission to edit the GPO in future.

    That's it, test it out and see if it is working.  You can run "gpupdate /force" on any Windows 2003/Windows XP PCs a couple of times to force an update of Group Policy on that PC.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now