Solved

Group policy win 2008 w/ XP SP3 workstations - how to prevent users from deleting files from Drive C:?

Posted on 2011-03-09
8
628 Views
Last Modified: 2012-05-11
Group policy win 2008 w/ XP SP3 workstations - how to prevent users from deleting files from Drive C:?

It's a bit urgent, thx in advance.
0
Comment
Question by:IT_Group1
8 Comments
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 35081210
dont give them local admin rights or power user rights - just domain user rights- they shouldnt be able to delete it then

Jan MA CCNA
0
 

Author Comment

by:IT_Group1
ID: 35081234
Thx for the swift reply.
I need those users to be local admin for other reasons, is there a more elegant way?

I thought of using NTFS permissions.
0
 
LVL 2

Expert Comment

by:namanov
ID: 35081262
Hi, you can use two way to achive this what you want.
1. You can use by Group policy, simple described here http://mcpmag.com/articles/2008/10/13/file-permissions-thru-group-policy.aspx
2. You can use startup script (which I prefer) with cacls or icacls command described here http://ss64.com/nt/cacls.html
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35081267
You could try hiding the C: drive through Group policy

http://support.microsoft.com/kb/231289

but that's the problem with making users Local Admin.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:SyedJan
ID: 35081279
NTFS permission is the best option for this scenario.
0
 
LVL 28

Expert Comment

by:Ryan McCauley
ID: 35083630
As a different angle, can you explicitly grant the users the permissions for which they currently need local admin rights? You say they need it "for other reasons", but what other reasons are those? It may be cleaner to make the users regular domain users, and then explicitly give them the rights they need so you don't have to grant them local admin, which has any number of other implications.
0
 

Author Comment

by:IT_Group1
ID: 35205013
Hi experts

Any other ideas ?
0
 
LVL 8

Accepted Solution

by:
MarkieS earned 500 total points
ID: 35205222
Hi,

The ideas given will all work depending on your scenario.

You need to give a long list of feedback against each suggestion offered, outlining reasons why the suggestion will not work.  Then work to find a resolution.

1. Group Policy to Hide C:
2. Group Policy to explicitly "Allow access" with the user as a  Domain user only
3. CALCS - Startup script
4. NTFS Permissions

In my opinion, Option 2 is the most streamline.  Make the users Domain User only and explicitly grant them rights to files/folders/registry by using Group Policy.

But if this doesnt work in your scenario you need to say why.

cheers
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Account Lockouts 25 150
ADFS Redirection 4 31
How to apply the PAC URL and PAC file to a Windows 7 PC 2 24
Exchange 2007 Active Directory requiements 4 31
Synchronize a new Active Directory domain with an existing Office 365 tenant
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now