Prevent users from viewing hidden files and accessing other users "My Document" folders.

Posted on 2007-07-31
Medium Priority
Last Modified: 2013-12-04
This is a 2 part question.

Currently running Windows SBS 2003.

Users can very easily view "hidden files" by going to TOOLS > FOLDER OPTIONS > VIEW > SHOW HIDDEN FILES AND FOLDERS.

Is there a way I can create a security policy or some other way of preventing normal users from being able to do this?  Bottom line is I do not want users on my network to be able to view hidden files unless they are an administrator.

Our "My Document" folders are set up to store/sync on our domain controller rather than the local pc; this creates an issue of security as any network user can browse to the domain controller and view other users "My Document" folders.

Is it possible to continue to have the users "My Document" folder synced/stored on the domain controller but prevent other users from being able to browse to the domain controller and essentially browse into other users "My Document" folders?
Question by:drotkopf
  • 5
  • 3
  • 3
  • +1
LVL 25

Expert Comment

ID: 19603548
Part 1. it sounds as though your users have 'local admin rights' of their own machine. Anyone that is a local admin can do whatever they want to that machine.  Solution, make them 'users' and not admins.

Part 2.  It sounds like your file share on your DC where your users folders/files are has basically no security on it. Solution: Set each of their folders so that only the user, the admin and any backup account has access to it.  This may require removing inherited permissions if the users are getting these permissions from the folder above.

>>Is it possible to continue to have the users "My Document" folder synced/stored

do you have roaming profiles?  b/c the only time any syching should be going on is if you are using roaming profiles (or if you have offline files setup, but that is designed for laptops).
Your users 'my documents' folder should be pointed DIRECTLY to the file server (thus no synching) preferribly through folder redirection.

LVL 25

Expert Comment

ID: 19603584
just a note about hidden files.  Setting a file as 'hidden' is NOT a good way to set security.  You need to use NTFS security rights (what you see on the security tab on a file/folder's property page).


Author Comment

ID: 19603588
We do use roaming profiles.

isn't there a way to create a policy to remove the folder options menu item from the tools menu?  If someone could break down where I can find and set this policy that should remedy Part 1.

As for Part 2, I will check and see if it is as simple as only allowing the user and admins to access the "My Documents" folders.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 25

Expert Comment

ID: 19603614
>>We do use roaming profiles
then explain what 'synching' is going on then.

>>I will check and see if it is as simple as only allowing the user and admins to access the "My >>Documents" folders
It is,, if the other users didn't have rights to those folders, then they wouldn't be able to get into them.

LVL 11

Expert Comment

ID: 19603781
In a GPO you can use the setting - "User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove the Folder Options menu item from the Tools menu" to stop users getting to where they can change the Hidden Files option.  It doesn't look like you can be any more granular then that, or even to turn off hidden files if a user has them turned on.  You would need to create your own Group Policy template to achieve this, which probably isn't worth it.  Oh and you could aplly this to an OU only containing you users, not admins, or you could use security on the GPO to prevent Administrators applying the policy.

As Mike has been saying though Hidden Files have nothing to do with secutiry really, they're more there to stop somebdoy accidentally messing with a file they shouldn't.  NTFS permissions are what you use for security.

Again as Mike said for the My Documents folders you need to set the permissions on each folder such that only the user and administrators have access.  This is fairly easy to do, if you can just give us an idea of how the My Documents are stored on the server?  Right click on the My Documents folder on one of the client's PC and select Properties; what is in the Target field on that PC?

Expert Comment

ID: 19606219
The key points to the questions have been addressed.  I would like to elaborate though:

Hiding a file is usless.  That's an old school method before file permissions were invented.

For your users' "My Documents" folders:  You don't really need to  use roaming profiles unless you have users logging onto multiple computers.  You can create a GPO for "Folder Redirection" and redirect their "My Documents" to their home directory on the server.  .........  You will need to set the permissions on their home directory to allow them exclusive access; though this can easily be done when creating new user accounts using \\servername\sharename\%username% on the profile page in AD users and computers.

Author Comment

ID: 19611027
As far as the "My Documents" folders are concerned:

The target field looks something like this: \\DC\Users\drotkopf\My Documents

The Security > Group or Usernames look like:

Creator Owner
Domain Admins
Folder Operators

My personal "Member Of" groups are:

Domain Power Users
Domain Users
Mobile Users
Remote Web Workplace Users
Technology Integrators

*The last 2 being distribution groups.

As you can see I'm not an admin yet I can still browse to the DC and open other Users "My Document" folders even though I am also NOT in their "Security > Group or Usernames".

It would not seem as easy as just putting the persons username that should have access to the doc folder, because it is currently set up that way; but everyone still has access.

Would it be because I am a power user?

Author Comment

ID: 19616878
Anyone able to provide some more insight on this?

Author Comment

ID: 19616901
>>isn't there a way to create a policy to remove the folder options menu item from the tools menu?  If someone could break down where I can find and set this policy that should remedy Part 1.

>>Start > Run > type in gpedit.msc > OK > User Configuration, Administrative Templates, Windows Components, Windows Explorer > double-click Removes the Folder Options menu item from the Tools menu from the right panel > Select Enabled > OK

I know this can be done on the local machine level... is there anyway to do this on the network level so I wouldn't have to manually set this on each machine?

LVL 11

Expert Comment

ID: 19620902
The Domain Power Users group is a member of the Folder Operators group, hence if Folder Operators have access to every folder then members of the Domain Power Users group will also.  I would remove Folder Operators from each users' folder, there's no need for it to be there really.

On the Group Policy thing - Yes this can absolutely be done on the network level, using Group Policy.  In "Active Directory Users and Computers" you can right click on most folders (known as Organisational Units, OUs), select Properties, then select the Group Policy tab.  Note depending on your version of Windows and which folder you choose the option may not be there.
Ideally you will want an OU (or folder) with all your users in it, then right click, select Properties, Group Policy tab, Add a new GPO and set the setting I gave above to Enabled.  Now all users in the OU will have this applied.  Obviously you won't want Administrator in there.  Note you can't do this to the default Users folder where users go as it is not a "proper" OU and can't have Group Policys applied to it.
You can get more fancy (and a lot more powerful) by using permissions on GPOs to affect who the settings apply to but it's a bit more complex, so I suggest you try it out with OUs first, then progress if necessary.  An example of what you might do with permissions is to leave users in the folders they're in now, create a GPO at the top domain level to enforce this setting, create a group called "Do not block access to Folder Options" and make Administrator and yourself members, then set permissions on the GPO such that all users can "Apply Policy" but the "Do not block access to Folder Options" group is Denied permission to "Apply Policy".  A few double negatives in there, but the upshot is everybody is blocked access to their Folder Options except members of the group you made...

Author Comment

ID: 19626963

Thanks for the explanation on the Domain Power Users and the "My Documents" folders.  I did what you suggested and that worked perfectly!  The users can only access their My Document folder and noone elses.

Now as far as removing the folder options menu item from the tools menu; I don't have much experience creating GPO's at all; all I can tell you is that we run Windows Small Business Server 2003 and our users are stored in ACTIVE DIRECTORY USERS and COMPUTERS > DOMAIN.LOCAL > MY BUSINESS > USERS > SBS USERS.  Everyone from Administrators, Power Users, Mobile Users and Users are kept in this "folder".
Ultimately I would like to keep everyone here, and create a policy for removing the folder options menu from the tools menu as well as a group for "Do not block access to the Folder Options Menu" and have the policy apply to every user for the exception of the users that are members of the "Do not block access to the Folder Options Menu" group.

Any chance at having you break down that process for me step by step?

Thanks again for the help with the "My Documents" issue.
LVL 11

Accepted Solution

Zenith63 earned 2000 total points
ID: 19627091
- Create your "Do not block access to the Folder Options Menu" group and set any members you want.
- Open Administrative Tools/Group Policy Management
- Expand the tree until you come to your domain name, right click on it and select "Create and Link a GPO Here" then give it a descriptive name, like "Block access to folder options".
- Now right click your "Block access to folder options" GPO on the list and select Edit.  You'll now be brought to the GPO Editor where you can set the policies you want (see my other post for the one you want).
- When you've set the ones you want you can close the GPO Editor.
- This GPO will now be in effect (may take 15 mins to propagate to clients) but by default will apply to all "Authenticated Users", eg. everybody!
- So back at the Group Policy Management window select your "Block access to folder options" and in the right pane select the Delegation tab.
- Click the Add button to add your "Do not block access to the Folder Options Menu" group.
- When you've added this group it should be listed on the Delegation tab.  Select it and click the Advanced button.  At the bottom of the list of of permissions you'll see "Apply group policy" which is set to allow at the moment, change this to Deny and accept any warnings.  Leave all other permissions, if you remove Deny any of the other ones you may remove the Administrator's permission to edit the GPO in future.

That's it, test it out and see if it is working.  You can run "gpupdate /force" on any Windows 2003/Windows XP PCs a couple of times to force an update of Group Policy on that PC.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question