2008 Terminal Services system root permissions

First, please reserve the urge to tell me not to do this.  I don't have a choice.

We have a mission critical app that, as of it's last update, has decided it has to write a temp file to the root of the system drive in order to function.  Rolling back is not an option.  I've contacted the vendor and they realize their error, but a fix is months away.  So, until then, I have to give terminal services users the right to write/modify/delete files to the root of C.

It's a 2008 (not r2) server, pretty much an out-of-the-box 2008 terminal server.  I'm looking for ideas on the "safest" (oxymoron) way to temporarily allow a group of users to do this.

Thanks in advance!!!
FredCredAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
It will require two steps (which of course you have to execute as administrator)
1) icacls c:\ /setintegritylevel M
2) change permissions on c: "for this folder only" to users: change (that is: like full control but lacking the two single rights 'take ownership' and 'change permissions')
Please note that 2) will give errors "could not change permissions on c:\pagefile and c:\hiberfile and..." - this does not matter.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FarWestCommented:
I think you can safely (somewhat) give the permission to your RDS users group providing that you limit there access to that application, no browsing and cmd ... etc,

if your software  has a fileopen, filesave feature that load the file explorer then we have to make thinks harder like give access to root c:\ but deny access on folders in that root + any existing files
0
David Johnson, CD, MVPOwnerCommented:
The best solution is none of the above but to use the Application Compatability Toolkit and create a shim that redirects the writes to c:\ to another folder.
https://technet.microsoft.com/en-us/library/hh825181.aspx?f=255&MSPPError=-2147217396
0
McKnifeCommented:
David, I used ACT before, but not that function. What is the fix called, is it "RedirectCRTTempFile"?
Do you have a how to to offer?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.