GPO Locking Down C: Drive?

januismer
januismer used Ask the Experts™
on
How do I give my users rights to the C: drive via GPO?  My users can see the C: drive and browse it, but they can't create or modify the C: drive.  It says that the administrator doesn't allow it (Or something along those lines).

I don't know what is locking it down???
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
A little more info...

Windows XP SP3, and Windows Server 2008 R2.
Jason WatkinsIT Project Leader

Commented:
Hello,

The standard access control lists for the C:\ drive are what is locking it down. Only administrators, local and domain, have full control access to everything on C:\

I would advise against giving users full control access to C:\, or making their user accounts members in the administrators group. With that, any piece of mal-ware which finds it's way onto their desktops will do so with full administrative privileges.

Unless you like re-imaging, or reinstalling Windows often, don't give the users full access to C:\. I am not trying to tell you how to administer your resources, but escalating a user's rights on the system, in order to give him/her the ability to perform a specific task is a bad idea. What is it you are trying to do, exactly?

Author

Commented:
Well... We have an education administration application that is trying to install PDF and MICR files for payroll purposes.  The application is designed so that the user can just choose "Install PDF files" or "Install MICR files" and it does its thing.  It needs access to the C: drive to install the files, hence the problem.

Do you suggest that we (admins) log in everytime we need to install something small like this?  I understand the reasoning behind locking down the C: drive, but I'm not sure I can be available every time a teacher or staff member needs to make a minor change to thier system.

Looking for guidance...

IT Project Leader
Commented:
Your question is very common, mostly because software developers are not network admins. or security conscious.

The options are to make the users of this application local administrators, NOT domain administrators. This will fix all issues, but I guarantee you will be removing mal-ware from Windows by months end.

Another is to find the registry keys this application uses and give the folks Full Control access to those keys. The SysInternals suite can help you find out exactly what keys are involved.

http://technet.microsoft.com/en-us/sysinternals/bb795533.aspx

Maybe just a simple case of giving the users Write, or Modify access to the folders in question will do it?

Author

Commented:
Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial