Access to C: drive on TS Server Group Policy

hey guys,

I have one user who needs access to the C: Drive on a terminal server. It looks like there's a Gpo or two blocking access for all users. How do i allow this for one user?
LVL 4
Cobra25Asked:
Who is Participating?
 
loftywormConnect With a Mentor Commented:
You may also set the GPO to ignore the specific user with a deny setting.  (This is bad practice) but it will work.
GPO management >GPO > Delegation>Advanced>OBJECT>Apply Group Policy (Check "DENY")(scroll down)

Also, there is a way to have the GPO over ridden by the local GPO.  Loopback processing is the keyword.
http://itfreetraining.com/70-640/group-policy-loopback-processing/
0
 
bigeven2002Commented:
Hello
If you have admin access to the server you can login and then right click the c drive and choose properties and then security tab.  Click edit and add their user account to the list and give read and write access but not full control.

By default non admin users have read only access to most folders outside their own user directory.
0
 
Cobra25Author Commented:
Will that override any GPO's?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
rindiCommented:
There is no reason why anyone should have access to the root of C:\. Only the OS needs to access that. If your user needs to access the root of C:\, he's doing something wrong.
0
 
Cobra25Author Commented:
They need to modify some software settings for an application, only them. So there is a reason.
0
 
bigeven2002Commented:
Ah ok the first gather the path to the software folder within c:\program files or program files (x86) and add the user to read write there.  As for overriding gpo I believe this does since it is a manual entry.

If prefer doing this thru gpo I think you can create a new domain group called software edit or something like that, add the user to that group.  Then in gpo set that group to have read write permission to the program files folder.  I'm not sure where this gpo setting is at the moment though.
0
 
rgormanCommented:
No, local security permissions won't override the GPO settings to hide C drive.  You will need to find the GPO and deny apply the GPO under the GPO security settings for that one user.  Then when the user can see C drive then you will need to modify the NTFS security on the folder they need access to if they don't already have permissions.
0
 
rindiCommented:
There are no software settings in the root of C:\, so there is still no reason. Setting files should be in \ProgramData\ProgramName\, and never in C:\.
0
 
Axis52401Security AnalystCommented:
Group policy is applied in a specific order, LSDO, Local --> Site --> Domain --> OU. The default domain policy does not restrict users from installing software. This restriction is, by default, setup by configuring who is a member of the local admins group. That being said giving access to the C:\Program Files probably won't be enough. Software programs often require access to the registry so honestly you'll probably have to use Restricted Groups and make that user a member of the local admin groups. I doubt giving access to the directories will be enough.
0
All Courses

From novice to tech pro — start learning today.