?
Solved

Lock down c:\users folder

Posted on 2012-09-21
9
Medium Priority
?
939 Views
Last Modified: 2012-09-26
Howdy,
We have a small domain with Windows 7 machines.  The users run as local admins and we are looking at ways, if possible, to lock users out of other people's users folder under C:\Users.

Is this possible besides adding a manual deny to each folder?
Thanks!
0
Comment
Question by:aiscom
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 7

Expert Comment

by:wullieb1
ID: 38423602
Are they all using the same machine??

As they have local admin permissions they could just re-add themselves to the permissions and take control of the relevant folders.

Have you thought about roaming profiles for your users??

http://richardkok.wordpress.com/2011/04/14/configuring-windows-7-roaming-profiles-on-a-windows-2008-r2-server/

Might be the easier option for you.
0
 
LVL 28

Accepted Solution

by:
Run5k earned 2000 total points
ID: 38423640
At the risk of stating the painfully obvious, the root cause of your problem is that your end-users have local admin rights!  If you don't mind me asking, why is that?  After more than two decades of installing/configuring/managing Windows domains, I can safely say that the drawbacks associated with end-users who have admin privileges easily outweigh the advantages.
0
 
LVL 7

Expert Comment

by:wullieb1
ID: 38423675
@Run5K

There are unfortunately situations where users do require admin rights to PC's, in our org it was AutoCAD.

Sorry off topic though.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 28

Expert Comment

by:Run5k
ID: 38423689
@Wullieb1, that isn't really off-topic.  If the author's end-users didn't have admin rights, security and privacy within the User folder wouldn't be an issue.

I don't necessarily doubt your word, but that is difficult to imagine.  My team manages several diverse domains, with the largest one serving over 13,000 users and containing more than 10,000 Windows 7 Enterprise workstations.  Even with that wide variety of environments and software combinations, we have yet to encounter a scenario where the end-user actually needs admin privileges.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38423818
I hate to beat a dead horse but. it can't be done as any local administrator can click on ANY folder they will get the access denied and ALSO a click to get permanent access prompt..
0
 
LVL 7

Expert Comment

by:wullieb1
ID: 38423923
@Run5K, while i agree with what your saying, and 95% of the software we use does not require admin rights we ran into issues with AutoCAD software and ANSYS software. We control the access that these users get by using Restricted Groups and tried the least privilege route but it just wouldn't work. AutoCAD engineers actually told us that we would require this, whether that was the easy way out i'm not sure.

Sorry OP i didn't meant to takeover your question.
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38424111
Ask the users to save thier files on a remote share.

Because the local admin is finally the local admin on the PC, the only way to protect files from them it to move them out.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38424239
folder redirection might be your friend.
0
 

Author Comment

by:aiscom
ID: 38439120
Thanks.  We will look into our options on making them not local admins first.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question