fredleone
asked on
actiive directory 2010 group policy
using group policy how would prevent a group of using from saving to the their local hard drive ( not redirected folders)
they can't save to the C drive by default unless they have admin rights to their machine. They can however make sub folders on the C drive..
Is it only for root c drive?
if so do that:
Go to your DC, Open ADUC, create a security group "A" for users who will not be able to save files to root drive.
2. Open GPMC, create a GPO which links to your target machines.
3. Expend the policy to [Computer Configuration | Windows Settings | Security Settings | File System ]
4. Right click it, choose "Add File..." and select the "C:" drive, enter.
5. In the security page, click "Advanced" button.
6. Add the security group "A", choose "Apply to" to "This folder only".
7. Tick the Deny permission:
i. Create files /Write data
ii. Create folders / Append data
8. Click OK and Apply.
9. In the warning windows, click Yes.
10. Add Object windows, click OK.
from
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e9774783-fd5b-4332-9125-eb3c719b5a57/prevent-saving-files-to-root-on-local-drive-using-group-policy
or other option would be to redirect folders and use mandatory profiles
http://technet.microsoft.com/en-us/library/cc732275.aspx
if so do that:
Go to your DC, Open ADUC, create a security group "A" for users who will not be able to save files to root drive.
2. Open GPMC, create a GPO which links to your target machines.
3. Expend the policy to [Computer Configuration | Windows Settings | Security Settings | File System ]
4. Right click it, choose "Add File..." and select the "C:" drive, enter.
5. In the security page, click "Advanced" button.
6. Add the security group "A", choose "Apply to" to "This folder only".
7. Tick the Deny permission:
i. Create files /Write data
ii. Create folders / Append data
8. Click OK and Apply.
9. In the warning windows, click Yes.
10. Add Object windows, click OK.
from
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e9774783-fd5b-4332-9125-eb3c719b5a57/prevent-saving-files-to-root-on-local-drive-using-group-policy
or other option would be to redirect folders and use mandatory profiles
http://technet.microsoft.com/en-us/library/cc732275.aspx
You can hide the C drive form them
Open the following sections: User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
Click Hide these specified drives in My Computer.
Click to select the Hide these specified drives in My Computer check box.
Click the appropriate option in the drop-down box.
Open the following sections: User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
Click Hide these specified drives in My Computer.
Click to select the Hide these specified drives in My Computer check box.
Click the appropriate option in the drop-down box.
ASKER
the way it currently works here is that their local desktop is not redirected but the they can save to it . this is what they wanted. however I am required to take away that ability from a small group of people . I wanted know the best way to accomplish this. I figured GP would be the best way
it you don't wont them to save anywhere use mandatory profile
http://msdn.microsoft.com/en-gb/library/windows/desktop/bb776895(v=vs.85).aspx
http://msdn.microsoft.com/en-gb/library/windows/desktop/bb776895(v=vs.85).aspx
ASKER
There are many small applications that run on these systems . it is only ten people, their is no GP that would just turn off access to desktop
create security group with these 10 users
and then Use GPO to redirect the desktop (of that security group) to a shared folder and change share permissions to read-only
When redirecting, redirect all users to the same location and make sure the option 'Grant user exclusive rights to <folder>' is unchecked
and then Use GPO to redirect the desktop (of that security group) to a shared folder and change share permissions to read-only
When redirecting, redirect all users to the same location and make sure the option 'Grant user exclusive rights to <folder>' is unchecked
ASKER
ok will try
thanks
thanks
Any udpate?
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for fredleone's comment #a40409210
for the following reason:
it seems like the best solution
thank you
Accepted answer: 0 points for fredleone's comment #a40409210
for the following reason:
it seems like the best solution
thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jan
You can't force an author to grant you points. Maybe a solution he found was better for him than what was suggested.
You can't force an author to grant you points. Maybe a solution he found was better for him than what was suggested.
ASKER
solution worked thank you