Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group policy for write access to C: drive only

Posted on 2010-08-13
15
Medium Priority
?
6,631 Views
Last Modified: 2013-12-04
Hi experts,

I have a Windows 2008R2 domain with several computers and regular non admin users. The problem is that they use a program that needs write permisseion only on the root drive C: in Windows XP.
How can I fix this with a GPO without giving them more permission than needed?

Thanks.
0
Comment
Question by:helhas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 3
15 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33428613
directly to C-drive or some folder on C-drive?
0
 
LVL 5

Expert Comment

by:rov17
ID: 33428623
there is a GP to hide drivers if you want to protect them

User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
Click Hide these specified drives in My Computer.
Click to select the Hide these specified drives in My Computer check box.

http://support.microsoft.com/kb/231289
0
 
LVL 5

Expert Comment

by:rov17
ID: 33428651
You also can use the option of "Prevent access to drives from My Computer" if you don't want to hide it.

User Configuration
Administrative Template
Windows Components
Windows Explorer
"Hide these specified drives in My Computer"
"Prevent access to drives from My Computer"
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:helhas
ID: 33428771
Hi,

I don't want to hide anything, I just want to give them write permission directly to the C-drive.
Don't ask who wrote this piece of crap software, but I need to get it working.

Thanks.
0
 
LVL 5

Expert Comment

by:rov17
ID: 33428823
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33429113
I would suggest to modify standard RootSec.inf Security Template and apply it to GPO for those workstations which need write access to C-drive.

If you need help just let me know.
0
 

Author Comment

by:helhas
ID: 33429491
@rov17: How would this login script look like? The link states you substitute your C: drive by another drive, but the program must have access to C:

@iSiek: I am still a newbie with security templates, any more info on how this can be done would be appreciated.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33432748
Windows Server has default security templates defined. Yo can find them in %windir%\security\templates
There are a lot of INF files which are some kind of registry settings. You can save copy of one of them called RootSec.inf which is responsible for giving default permission to C-drive. After OS is installed it is applied to secure C-drive (from XP above). You can freely modify that security template and save it as your own, then import to GPO and link to proper OU (with computers) where those default settings should be modified.

I will try to prepare some guide in PDF if you're interested doing it that way.
0
 

Author Comment

by:helhas
ID: 33432934
@iSiek: So I can copy the RootSec.inf and give it another name like MyRootSec.inf edit it and link it to a GPO which is linked to specific computers/users?
What do I need to edit in the file?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33436066
You have to run mmc -> File -> Add/Remove Snap-in -> Add -> Security Templates on one of your DCs,
then navigate to Security Tempate's node and look for %WINDIR%\Security\Templates\rootsec
click right mouse button on it and choose "Save as" then type new name i.e. "MyRootSec.inf"
Select new security template and navigate to "FileSystem" node. In the right pane click right mouse button on %SystemDrive%\ and choose "Properties". Now click on "Edit Security..." button, "Add" button and decide if you want to create special group for those users (all of them will have write access to C-drive on each computer with policy appplied) or add "Authenticated Users" group (then each authenticated user in domain will have write access to C-drive). Give that group "Modify" permissions and click twice "OK" button and save this template once again (choose "Save" on MyRootSec).

Now create new GPO and navigate to "Computer Configuration -> Windows Settings -> Security Settings" and click right mouse button on "Security Settings" node. Choose "Import Policy" and select your newly create security template (%WINDIR%\Security\Templates\MyRootSec.inf) and click "Open". Check if you have imported policy by checking node 'FileSystem" %SystemDrive%'s properties if that grooup is applied.

Now, link this GPO to OU where are workstations (because it is PC settings) and reboot them to apply changes. After reboot test, if your users have write access to C-drive.
0
 

Author Comment

by:helhas
ID: 33438449
Sounds like a perfect howto, I will try it out Tuesday next week and let you know if it worked.
Many thanks for your effort!
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33440361
You're welcome. BTW, how many computers need these changes (if no more than 5 you can customize security template for each of them and apply it manually)?
0
 

Author Comment

by:helhas
ID: 33450220
Hi,

It seems that there is no rootsec.inf file in Windows 2008 R2.
What inf file do I need to copy?

Thanks.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 750 total points
ID: 33452139
So, we need to create new security template :)

Follow this steps:

run mmc -> File -> Add/Remove Snap-in -> Add -> Security Templates
Navigate to C:\Users\ ... \Security\|Templates node and click on it right mouse button
Choose "New Template" and type its name (let's say MyRootSec)
Now, expand it and go to section  "File System"
In the middle window, click right mouse button and select "Add File..."
Select C-Drive from the list and click OK
Click "Add" button and decide if you want to create special group for those users (all of them will have write access to C-drive on each computer with policy appplied) or add "Authenticated Users" group (then each authenticated user in domain will have write access to C-drive). Give that group "Modify" permissions and click twice "OK" button and save this template once again (choose "Save" on MyRootSec).

Copy newly created security template from C:\Users|<probably Administrator>\Documents\Security\Templates to %WINDIR%\SYSTEM32\SECURITY\TEMPLATES and

Now create new GPO and navigate to "Computer Configuration -> Windows Settings -> Security Settings" and click right mouse button on "Security Settings" node. Choose "Import Policy" and select your newly create security template (%WINDIR%\Security\Templates\MyRootSec.inf) and click "Open". Check if you have imported policy by checking node 'FileSystem" %SystemDrive%'s properties if that grooup is applied.

Now, link this GPO to OU where are workstations (because it is PC settings) and reboot them to apply changes. After reboot test, if your users have write access to C-drive.
0
 

Author Closing Comment

by:helhas
ID: 33557568
The explanation could be better and in more detail.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Successful collaboration among team members is essential for the growth of your business. When employees work together on projects, share ideas and communicate effectively they get better results.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question