Group policy for write access to C: drive only
Hi experts,
I have a Windows 2008R2 domain with several computers and regular non admin users. The problem is that they use a program that needs write permisseion only on the root drive C: in Windows XP.
How can I fix this with a GPO without giving them more permission than needed?
Thanks.
I have a Windows 2008R2 domain with several computers and regular non admin users. The problem is that they use a program that needs write permisseion only on the root drive C: in Windows XP.
How can I fix this with a GPO without giving them more permission than needed?
Thanks.
Krzysztof Pytko
directly to C-drive or some folder on C-drive?
there is a GP to hide drivers if you want to protect them
User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
Click Hide these specified drives in My Computer.
Click to select the Hide these specified drives in My Computer check box.
http://support.microsoft.com/kb/231289
User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
Click Hide these specified drives in My Computer.
Click to select the Hide these specified drives in My Computer check box.
http://support.microsoft.com/kb/231289
You also can use the option of "Prevent access to drives from My Computer" if you don't want to hide it.
User Configuration
Administrative Template
Windows Components
Windows Explorer
"Hide these specified drives in My Computer"
"Prevent access to drives from My Computer"
User Configuration
Administrative Template
Windows Components
Windows Explorer
"Hide these specified drives in My Computer"
"Prevent access to drives from My Computer"
ASKER
Hi,
I don't want to hide anything, I just want to give them write permission directly to the C-drive.
Don't ask who wrote this piece of crap software, but I need to get it working.
Thanks.
I don't want to hide anything, I just want to give them write permission directly to the C-drive.
Don't ask who wrote this piece of crap software, but I need to get it working.
Thanks.
In this case the best thing is a login script
Check this link:
https://www.experts-exchange.com/questions/26200186/Group-Policy-Windows-2008-allowing-write-access-to-one-folder-only.html
Check this link:
https://www.experts-exchange.com/questions/26200186/Group-Policy-Windows-2008-allowing-write-access-to-one-folder-only.html
I would suggest to modify standard RootSec.inf Security Template and apply it to GPO for those workstations which need write access to C-drive.
If you need help just let me know.
If you need help just let me know.
ASKER
@rov17: How would this login script look like? The link states you substitute your C: drive by another drive, but the program must have access to C:
@iSiek: I am still a newbie with security templates, any more info on how this can be done would be appreciated.
@iSiek: I am still a newbie with security templates, any more info on how this can be done would be appreciated.
Windows Server has default security templates defined. Yo can find them in %windir%\security\template
There are a lot of INF files which are some kind of registry settings. You can save copy of one of them called RootSec.inf which is responsible for giving default permission to C-drive. After OS is installed it is applied to secure C-drive (from XP above). You can freely modify that security template and save it as your own, then import to GPO and link to proper OU (with computers) where those default settings should be modified.
I will try to prepare some guide in PDF if you're interested doing it that way.
There are a lot of INF files which are some kind of registry settings. You can save copy of one of them called RootSec.inf which is responsible for giving default permission to C-drive. After OS is installed it is applied to secure C-drive (from XP above). You can freely modify that security template and save it as your own, then import to GPO and link to proper OU (with computers) where those default settings should be modified.
I will try to prepare some guide in PDF if you're interested doing it that way.
ASKER
@iSiek: So I can copy the RootSec.inf and give it another name like MyRootSec.inf edit it and link it to a GPO which is linked to specific computers/users?
What do I need to edit in the file?
What do I need to edit in the file?
You have to run mmc -> File -> Add/Remove Snap-in -> Add -> Security Templates on one of your DCs,
then navigate to Security Tempate's node and look for %WINDIR%\Security\Template
click right mouse button on it and choose "Save as" then type new name i.e. "MyRootSec.inf"
Select new security template and navigate to "FileSystem" node. In the right pane click right mouse button on %SystemDrive%\ and choose "Properties". Now click on "Edit Security..." button, "Add" button and decide if you want to create special group for those users (all of them will have write access to C-drive on each computer with policy appplied) or add "Authenticated Users" group (then each authenticated user in domain will have write access to C-drive). Give that group "Modify" permissions and click twice "OK" button and save this template once again (choose "Save" on MyRootSec).
Now create new GPO and navigate to "Computer Configuration -> Windows Settings -> Security Settings" and click right mouse button on "Security Settings" node. Choose "Import Policy" and select your newly create security template (%WINDIR%\Security\Templat
Now, link this GPO to OU where are workstations (because it is PC settings) and reboot them to apply changes. After reboot test, if your users have write access to C-drive.
then navigate to Security Tempate's node and look for %WINDIR%\Security\Template
click right mouse button on it and choose "Save as" then type new name i.e. "MyRootSec.inf"
Select new security template and navigate to "FileSystem" node. In the right pane click right mouse button on %SystemDrive%\ and choose "Properties". Now click on "Edit Security..." button, "Add" button and decide if you want to create special group for those users (all of them will have write access to C-drive on each computer with policy appplied) or add "Authenticated Users" group (then each authenticated user in domain will have write access to C-drive). Give that group "Modify" permissions and click twice "OK" button and save this template once again (choose "Save" on MyRootSec).
Now create new GPO and navigate to "Computer Configuration -> Windows Settings -> Security Settings" and click right mouse button on "Security Settings" node. Choose "Import Policy" and select your newly create security template (%WINDIR%\Security\Templat
Now, link this GPO to OU where are workstations (because it is PC settings) and reboot them to apply changes. After reboot test, if your users have write access to C-drive.
ASKER
Sounds like a perfect howto, I will try it out Tuesday next week and let you know if it worked.
Many thanks for your effort!
Many thanks for your effort!
You're welcome. BTW, how many computers need these changes (if no more than 5 you can customize security template for each of them and apply it manually)?
ASKER
Hi,
It seems that there is no rootsec.inf file in Windows 2008 R2.
What inf file do I need to copy?
Thanks.
It seems that there is no rootsec.inf file in Windows 2008 R2.
What inf file do I need to copy?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The explanation could be better and in more detail.