Windows 7 Security Issues

We just started to deploy some windows 7 64 bit PC's into our domain. They seem to be working very well with a few exceptions. Our biggest issue is the security that Microsoft has put onto this OS. I can open files and applications no problem as administrator but then I switch to the user and WHAM it is blocked. I have read a ton of forums with little success. With Windows XP I would basically just give everyone full permissions on the C drive which would then give access to all sub directories and files. Now you cant do that. Every other folder it basically halts and says you do not have permissions to perform that action. So I found a registry addition on a forum that I ran which gives the ability to take ownership. I did this and it works partially. After running the take ownership on a folder some sub folders are changed and others still are not. So I try to do it manually. Again some go through and others do not. I just dont know where to go from here. I have done a lot of research and just cant find a decent answer to fix this. I mean I would even purchase an application if it would help with this problem. One of my big problems right now is that I cant even write a temp file to the C drive.

Any help is greatly appreciated!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sikhumbuzo NtsadaIT AdministrationCommented:
Are the users administrator on their local PC, did you turn off the UAC?
eli290Author Commented:
UAC is turned off, and no they are not a local admin since this is a domain I dont want users to be able to install their own software. But on a side note I have tried to make a domain user a local admin and they still have these permission issues.
Our team is managing a domain with over 9,000 Windows 7 Enterprise workstations, and to be honest we never really encounter problems of that nature.

If you don't mind me asking, what type of functions do your end-users "need" to perform that requires such comprehensive access throughout the C: partition?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

eli290Author Commented:
Honestly just regular applications. We have a software package for our company that does not need any special permissions other than to access those folders which are located both in the program files and program files (x86) folders. I also have an application that writes a temp file to the C:\ drive when we create a report. Works no problem when logged in as a domain admin, doesnt work at all when logged in as the user. Also when logged in as a user the application splash window pops up then disappears and doesnt open.
If that's the case, it sounds like you're utilizing one or more legacy applications that haven't been designed to work gracefully within a Windows 7 environment.  Is it possible that those applications have a patch or an entirely updated that is compliant with Windows 7?  I would think that might be preferable to implementing several NTFS permissions modifications, turning off UAC, etc.
eli290Author Commented:
we do not have a patch for those applications unfortunately. I do agree that NTFS permission mods are not ideal but this is how we have always done it even on XP. So I dont know how to get around it now that Windows 7 is not being very friendly
Hopefully someone else within the EE community can chime in with a creative solution that will help you in the near-term.  I haven't actually been faced with a problem quite like this one.

Once again, if there aren't patches for your applications it may be wise to look into full upgrades.  Frankly, application developers have had access to Windows 7-style security configurations since Vista was in the Beta testing phase over six years ago, so everyone has had ample opportunity to create compliant versions of their software.
We have UAC On and we havent seen this issue. We set all of our users as Power Users as opposed to Local Admins. This way they can not install any software, and we use Group Policy to restrict down the other things like changing the registry and accessing command prompt.
Oh, I guess I should have read the entire first post before i responded. We restrict the C Drive, but there are a few applications that have to be able to write to the C Drive. For those applications we gave Authenticated Users Full control of just those folders.

Is there a reason your users need to write things to the entire C Drive?
eli290Author Commented:
just the root of the C they need to write to. But I also need those program files and data folders to be open so they can access those applications
Well then from the root of the C Drive, you could go to Security --> Advanced and add Authenticated Users, Full COntrol, This Folder Only. Instead of Full Control, This folder, subfolders, and files. And then give full control to whichever programs in Program Files they need to be able to write to the C Drive with.

From what we have seen, there was only 2-3 programs on the computers that actually needed to write to the C Drive in order to work. Most of the programs write to the user profile, which every user already has rights to.
eli290Author Commented:
So this is what I ended up having to do. The user profile must have been screwed up so I deleted the user profile on that PC. I then tried to login as that user to recreate it but I received the error about having to sign in using a temporary profile. So I found the profile in the registry delete the effected profile's subfolder under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

I was then able to open up the application again. Strange...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eli290, to help you out in this separate subject area, it sounds like you learned first-hand that you can't simply delete a profile folder from the C:\Users.  It leaves behind registry entries, and if the same user subsequently attempts to login they will always get a temporary profile until the registry is cleaned up as you described above.

Here is a discussion we had a few months ago that shows the proper way to delete a local profile:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Adobe Acrobat

From novice to tech pro — start learning today.