Sign in with
Sign up | Sign in
Your question

Restrict "system root c:" access letting users to delete, ..

Last response: in Windows 2000/NT
Share
Anonymous
September 10, 2004 11:25:07 AM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

I assigned the "File system" permissions in an Active Directory GPO on
the %systemroot% folder this way: Everyone ALLOW ALL, School personell
group JUST READ, students group DENY ALL.

The problem is the students and teachers cannot delete, rename or copy
files on their own desktop (other groups can) even if it doesn't
inherit the "C:\" permissions. I checked the profiles and the
permissions are correctly assigned to each user's profile directory in
"Documents and Settings".
The error message that pops up when a user tries to delete a file from
the desktop is:"Cannot access C:\ Access denied".

I tried to restrict "C:\" with other group policies, hide device,
disable search button in explorer, disable "Run" in Start menu... but
there are thousands of different ways to access it anyway like the
shortcut properties button "Find target" which could point you
directly in "C:\" or the "explore" option in the right mouse button
menu of the start button which doesn't hide "C:\" at all.

The only possibility is to use the NTFS permissions on the system
root.

I want to prevent users from installing programs in "C:\" or creating
directorys or files and even browsing the C:\ content letting them to
use their desktops like they want. Is there a way?

Thank you.
Anonymous
September 22, 2004 5:36:41 PM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

I didn't know it was such a big deal.
Anonymous
October 1, 2004 9:35:02 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.win2000.general,microsoft.public.windowsnt.misc (More info?)

yeah having the same problem, but with user access to history folder in their
C\documents and settings folder... its weird that this was not a problem in
system policy..

Do your users have a home drive? if so, you could use folder redirection to
redirect the desktop to a directory on their home drive. this way they would
have control over adding in shortcuts etc, but wouldnt be stored on the C
drive - not sure if this is what your after, but worth a go

E

"Sasa" wrote:

> I didn't know it was such a big deal.
>
Anonymous
October 1, 2004 11:17:27 AM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

sasageissa@hotmail.com (Sasa) said

> I assigned the "File system" permissions in an Active Directory GPO on
> the %systemroot% folder this way: Everyone ALLOW ALL, School personell
> group JUST READ, students group DENY ALL.
>
> The problem is the students and teachers cannot delete, rename or copy
> files on their own desktop (other groups can) even if it doesn't
> inherit the "C:\" permissions. I checked the profiles and the
> permissions are correctly assigned to each user's profile directory in
> "Documents and Settings".
> The error message that pops up when a user tries to delete a file from
> the desktop is:"Cannot access C:\ Access denied".
>

Try using filemon from www.sysinternals to see what file access is occuring
that is triggering the restriction.
You may find that deleting a file is actually moving it to the Deleted Items
folder and that the restriction is being applied here, not to the desktop.

--
Andy.
Anonymous
October 1, 2004 7:16:00 PM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

Check what access they have to their Temp and Recycler folders. (Note that
Temp for one user may not be the same as for another, depending on how things
are set up). Make sure that they can read/write/change.

You usually shouldn't play with the permisstions on %systemroot% (usually
C:\WINNT or C:\WINDOWS depending on the OS version) - the default permissions
are generally sufficient, and there are different permissions set on some of
the subfolders that would be changed by allowing inheritance from the top
level. Unless you really understand what the permissions mean and the
possible side effects, it is best to leave them alone.

Permissions on %systemdrive% (and probably the root of most drives) should
probably not be "deny all" to anyone - they usually need at least some access
in order to traverse to allowed folders. The way to keep things secure here
is to put things into folders, and set permissions on the folders - don't keep
files in the root directory. It is okay, and often desirable, to limit
many/most users from being able to write to the root directory.

You can usually at least allow "list folder contents" (unless you really care
if they can see the filenames there) - this allows for traversing the folder
to get elsewhere.

In article <Xns95762FD4B419casey01@207.46.248.16>, Andrew Mitchell
<amitchell@removecasey.vic.gov.au> wrote:
|sasageissa@hotmail.com (Sasa) said
|
|> I assigned the "File system" permissions in an Active Directory GPO on
|> the %systemroot% folder this way: Everyone ALLOW ALL, School personell
|> group JUST READ, students group DENY ALL.
|>
|> The problem is the students and teachers cannot delete, rename or copy
|> files on their own desktop (other groups can) even if it doesn't
|> inherit the "C:\" permissions. I checked the profiles and the
|> permissions are correctly assigned to each user's profile directory in
|> "Documents and Settings".
|> The error message that pops up when a user tries to delete a file from
|> the desktop is:"Cannot access C:\ Access denied".
|>
|
|Try using filemon from www.sysinternals to see what file access is occuring
|that is triggering the restriction.
|You may find that deleting a file is actually moving it to the Deleted Items
|folder and that the restriction is being applied here, not to the desktop.
|
Anonymous
October 25, 2004 3:03:38 PM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

Thanks to both of you, but my problem remains unresolved!
The only solution that would work is a PCI card called Radix protector
that restores the hard disk state saved from the administrator every
time the users reboot the machine.
This solution isn't cheap 50-70$ per card and I admin 200 PCs. Beside
the price I'm too lazy to open 200 machines to install the cards.

Norton Ghost will do the job!

I can't still realize I'm the only person that has this annoying
problem.

Do admins usually let users fill the systemroot with junk?
Anonymous
December 23, 2004 6:14:31 PM

Archived from groups: microsoft.public.win2000.general,microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.windowsnt.misc (More info?)

You can also use a program called deepfreeze... It works very well and is
easy to configure and deploy.

There are other things you can do to prevent access... Use the pre-built
security policy templates and GPOs. (I used to work in school districts so
I've dealt with this quite a bit.) DeepFreeze is the easiest though.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Sasa" <sasageissa@hotmail.com> wrote in message
news:552a93c9.0410251003.3233a533@posting.google.com...
> Thanks to both of you, but my problem remains unresolved!
> The only solution that would work is a PCI card called Radix protector
> that restores the hard disk state saved from the administrator every
> time the users reboot the machine.
> This solution isn't cheap 50-70$ per card and I admin 200 PCs. Beside
> the price I'm too lazy to open 200 machines to install the cards.
>
> Norton Ghost will do the job!
>
> I can't still realize I'm the only person that has this annoying
> problem.
>
> Do admins usually let users fill the systemroot with junk?
Anonymous
March 28, 2005 9:01:02 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.win2000.general,microsoft.public.windowsnt.misc (More info?)

hi.
if you still interested for this subject, reply here.

regards,
cezar haraga

"Sasa" wrote:

> I assigned the "File system" permissions in an Active Directory GPO on
> the %systemroot% folder this way: Everyone ALLOW ALL, School personell
> group JUST READ, students group DENY ALL.
>
> The problem is the students and teachers cannot delete, rename or copy
> files on their own desktop (other groups can) even if it doesn't
> inherit the "C:\" permissions. I checked the profiles and the
> permissions are correctly assigned to each user's profile directory in
> "Documents and Settings".
> The error message that pops up when a user tries to delete a file from
> the desktop is:"Cannot access C:\ Access denied".
>
> I tried to restrict "C:\" with other group policies, hide device,
> disable search button in explorer, disable "Run" in Start menu... but
> there are thousands of different ways to access it anyway like the
> shortcut properties button "Find target" which could point you
> directly in "C:\" or the "explore" option in the right mouse button
> menu of the start button which doesn't hide "C:\" at all.
>
> The only possibility is to use the NTFS permissions on the system
> root.
>
> I want to prevent users from installing programs in "C:\" or creating
> directorys or files and even browsing the C:\ content letting them to
> use their desktops like they want. Is there a way?
>
> Thank you.
>
Anonymous
March 28, 2005 9:03:02 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.file_system,microsoft.public.win2000.general,microsoft.public.windowsnt.misc (More info?)

hi.
if you interested for this subject, reply here.

regards


"Sasa" wrote:

> I assigned the "File system" permissions in an Active Directory GPO on
> the %systemroot% folder this way: Everyone ALLOW ALL, School personell
> group JUST READ, students group DENY ALL.
>
> The problem is the students and teachers cannot delete, rename or copy
> files on their own desktop (other groups can) even if it doesn't
> inherit the "C:\" permissions. I checked the profiles and the
> permissions are correctly assigned to each user's profile directory in
> "Documents and Settings".
> The error message that pops up when a user tries to delete a file from
> the desktop is:"Cannot access C:\ Access denied".
>
> I tried to restrict "C:\" with other group policies, hide device,
> disable search button in explorer, disable "Run" in Start menu... but
> there are thousands of different ways to access it anyway like the
> shortcut properties button "Find target" which could point you
> directly in "C:\" or the "explore" option in the right mouse button
> menu of the start button which doesn't hide "C:\" at all.
>
> The only possibility is to use the NTFS permissions on the system
> root.
>
> I want to prevent users from installing programs in "C:\" or creating
> directorys or files and even browsing the C:\ content letting them to
> use their desktops like they want. Is there a way?
>
> Thank you.
>
!