Group policy win 2008 w/ XP SP3 workstations - how to prevent users from deleting files from Drive C:?

Group policy win 2008 w/ XP SP3 workstations - how to prevent users from deleting files from Drive C:?

It's a bit urgent, thx in advance.
Who is Participating?
MarkieSConnect With a Mentor Commented:

The ideas given will all work depending on your scenario.

You need to give a long list of feedback against each suggestion offered, outlining reasons why the suggestion will not work.  Then work to find a resolution.

1. Group Policy to Hide C:
2. Group Policy to explicitly "Allow access" with the user as a  Domain user only
3. CALCS - Startup script
4. NTFS Permissions

In my opinion, Option 2 is the most streamline.  Make the users Domain User only and explicitly grant them rights to files/folders/registry by using Group Policy.

But if this doesnt work in your scenario you need to say why.

JAN PAKULAICT Infranstructure ManagerCommented:
dont give them local admin rights or power user rights - just domain user rights- they shouldnt be able to delete it then

IT_Group1Author Commented:
Thx for the swift reply.
I need those users to be local admin for other reasons, is there a more elegant way?

I thought of using NTFS permissions.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Hi, you can use two way to achive this what you want.
1. You can use by Group policy, simple described here
2. You can use startup script (which I prefer) with cacls or icacls command described here
You could try hiding the C: drive through Group policy

but that's the problem with making users Local Admin.
NTFS permission is the best option for this scenario.
Ryan McCauleyData and Analytics ManagerCommented:
As a different angle, can you explicitly grant the users the permissions for which they currently need local admin rights? You say they need it "for other reasons", but what other reasons are those? It may be cleaner to make the users regular domain users, and then explicitly give them the rights they need so you don't have to grant them local admin, which has any number of other implications.
IT_Group1Author Commented:
Hi experts

Any other ideas ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.