Sign in with
Sign up | Sign in
Your question

Assigning rights to local folders

Last response: in Windows 2000/NT
Share
June 29, 2004 5:18:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Is there a way I can deny rights to folders on a local machine via the GPO? I work for a private K-12 and I am trying to lock down the PC throught the GPO. I think I have everything working except that if the student opens Word or Excel, they still have access to the C:\. Any help would be appreciated. Basically I want them to only be able to read/write files from either their personal My Documents folder or to a specific

Thanks,
Chris
Anonymous
June 30, 2004 6:22:03 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can change the ntfs permissions to the root/drive folder to read/list/execute for
users/everyone which will not allow them to write to or delete files in that folder.
I would not recommend removing all permissions for users to the drive folder. You
can use Group Policy at the domain/OU level, though I suggest doing it at the OU
level and testing it first before rolling out. In the OU go to computer
configuration/Windows settings/security settings/file system. Then right click and
select new file and select the drive folder. Configure your permissions in edit
security and be sure to add administrators and system with full control. IMPORTANT!
Be sure to select the FIRST option of propagate and NOT replace or permissions for
all the user profiles will get screwed up and take on inheritable permissions. That
is why you need to test first and make sure profile permissions are correct in that
users by default have full permissions to their profile folder and the folder does
not inherit permissions. Note that doing this will delay logon to computers as long
as the policy is in place. I recommend that you delete the entry after a few days [or
unlink the GPO if using an OU] when you are convinced all computers have had the
policy applied. Deleting the entry will not make permissions go back to default,
though any new installs will get default permissions. You may also have to manually
delete folders that users have already created as they would be the owner and may
have excessive permissions still or be able to change permissions back to allow then
to write access. --- Steve


"Chris" <Chris@discussions.microsoft.com> wrote in message
news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> Is there a way I can deny rights to folders on a local machine via the GPO? I work
for a private K-12 and I am trying to lock down the PC throught the GPO. I think I
have everything working except that if the student opens Word or Excel, they still
have access to the C:\. Any help would be appreciated. Basically I want them to only
be able to read/write files from either their personal My Documents folder or to a
specific
>
> Thanks,
> Chris
June 30, 2004 10:01:02 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ok, when I go through the GPMC, and navigate down to File System, I right click and I see add a file. When I click add a file, I get my local file system. How does this help me to set permissions on the student PCs?

"Steven L Umbach" wrote:

> You can change the ntfs permissions to the root/drive folder to read/list/execute for
> users/everyone which will not allow them to write to or delete files in that folder.
> I would not recommend removing all permissions for users to the drive folder. You
> can use Group Policy at the domain/OU level, though I suggest doing it at the OU
> level and testing it first before rolling out. In the OU go to computer
> configuration/Windows settings/security settings/file system. Then right click and
> select new file and select the drive folder. Configure your permissions in edit
> security and be sure to add administrators and system with full control. IMPORTANT!
> Be sure to select the FIRST option of propagate and NOT replace or permissions for
> all the user profiles will get screwed up and take on inheritable permissions. That
> is why you need to test first and make sure profile permissions are correct in that
> users by default have full permissions to their profile folder and the folder does
> not inherit permissions. Note that doing this will delay logon to computers as long
> as the policy is in place. I recommend that you delete the entry after a few days [or
> unlink the GPO if using an OU] when you are convinced all computers have had the
> policy applied. Deleting the entry will not make permissions go back to default,
> though any new installs will get default permissions. You may also have to manually
> delete folders that users have already created as they would be the owner and may
> have excessive permissions still or be able to change permissions back to allow then
> to write access. --- Steve
>
>
> "Chris" <Chris@discussions.microsoft.com> wrote in message
> news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> > Is there a way I can deny rights to folders on a local machine via the GPO? I work
> for a private K-12 and I am trying to lock down the PC throught the GPO. I think I
> have everything working except that if the student opens Word or Excel, they still
> have access to the C:\. Any help would be appreciated. Basically I want them to only
> be able to read/write files from either their personal My Documents folder or to a
> specific
> >
> > Thanks,
> > Chris
>
>
>
Anonymous
June 30, 2004 9:41:24 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Choose your system drive, probably C, and assign permissions to that. Then all
computers under the scope of influence of that GPO will have those permissions
applied to the system drive on their computer when security policy is applied to
them. The link below may help. --- Steve

http://www.microsoft.com/resources/documentation/Window...
http://tinyurl.com/2ealx -- same link as above, shorter.

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:EC74A9F1-0C7C-4AF9-8903-797B8AD5B8A9@microsoft.com...
> Ok, when I go through the GPMC, and navigate down to File System, I right click and
I see add a file. When I click add a file, I get my local file system. How does this
help me to set permissions on the student PCs?
>
> "Steven L Umbach" wrote:
>
> > You can change the ntfs permissions to the root/drive folder to read/list/execute
for
> > users/everyone which will not allow them to write to or delete files in that
folder.
> > I would not recommend removing all permissions for users to the drive folder.
You
> > can use Group Policy at the domain/OU level, though I suggest doing it at the OU
> > level and testing it first before rolling out. In the OU go to computer
> > configuration/Windows settings/security settings/file system. Then right click
and
> > select new file and select the drive folder. Configure your permissions in edit
> > security and be sure to add administrators and system with full control.
IMPORTANT!
> > Be sure to select the FIRST option of propagate and NOT replace or permissions
for
> > all the user profiles will get screwed up and take on inheritable permissions.
That
> > is why you need to test first and make sure profile permissions are correct in
that
> > users by default have full permissions to their profile folder and the folder
does
> > not inherit permissions. Note that doing this will delay logon to computers as
long
> > as the policy is in place. I recommend that you delete the entry after a few days
[or
> > unlink the GPO if using an OU] when you are convinced all computers have had the
> > policy applied. Deleting the entry will not make permissions go back to default,
> > though any new installs will get default permissions. You may also have to
manually
> > delete folders that users have already created as they would be the owner and may
> > have excessive permissions still or be able to change permissions back to allow
then
> > to write access. --- Steve
> >
> >
> > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> > > Is there a way I can deny rights to folders on a local machine via the GPO? I
work
> > for a private K-12 and I am trying to lock down the PC throught the GPO. I think
I
> > have everything working except that if the student opens Word or Excel, they
still
> > have access to the C:\. Any help would be appreciated. Basically I want them to
only
> > be able to read/write files from either their personal My Documents folder or to
a
> > specific
> > >
> > > Thanks,
> > > Chris
> >
> >
> >
July 1, 2004 10:07:01 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ok. I think I understand. However, what if there is a folder on the local computer where I want to control access but not on the computer where I am running the GPMC? Thanks for your help.

Chris

"Steven L Umbach" wrote:

> Choose your system drive, probably C, and assign permissions to that. Then all
> computers under the scope of influence of that GPO will have those permissions
> applied to the system drive on their computer when security policy is applied to
> them. The link below may help. --- Steve
>
> http://www.microsoft.com/resources/documentation/Window...
> http://tinyurl.com/2ealx -- same link as above, shorter.
>
> "Chris" <Chris@discussions.microsoft.com> wrote in message
> news:EC74A9F1-0C7C-4AF9-8903-797B8AD5B8A9@microsoft.com...
> > Ok, when I go through the GPMC, and navigate down to File System, I right click and
> I see add a file. When I click add a file, I get my local file system. How does this
> help me to set permissions on the student PCs?
> >
> > "Steven L Umbach" wrote:
> >
> > > You can change the ntfs permissions to the root/drive folder to read/list/execute
> for
> > > users/everyone which will not allow them to write to or delete files in that
> folder.
> > > I would not recommend removing all permissions for users to the drive folder.
> You
> > > can use Group Policy at the domain/OU level, though I suggest doing it at the OU
> > > level and testing it first before rolling out. In the OU go to computer
> > > configuration/Windows settings/security settings/file system. Then right click
> and
> > > select new file and select the drive folder. Configure your permissions in edit
> > > security and be sure to add administrators and system with full control.
> IMPORTANT!
> > > Be sure to select the FIRST option of propagate and NOT replace or permissions
> for
> > > all the user profiles will get screwed up and take on inheritable permissions.
> That
> > > is why you need to test first and make sure profile permissions are correct in
> that
> > > users by default have full permissions to their profile folder and the folder
> does
> > > not inherit permissions. Note that doing this will delay logon to computers as
> long
> > > as the policy is in place. I recommend that you delete the entry after a few days
> [or
> > > unlink the GPO if using an OU] when you are convinced all computers have had the
> > > policy applied. Deleting the entry will not make permissions go back to default,
> > > though any new installs will get default permissions. You may also have to
> manually
> > > delete folders that users have already created as they would be the owner and may
> > > have excessive permissions still or be able to change permissions back to allow
> then
> > > to write access. --- Steve
> > >
> > >
> > > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > > news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> > > > Is there a way I can deny rights to folders on a local machine via the GPO? I
> work
> > > for a private K-12 and I am trying to lock down the PC throught the GPO. I think
> I
> > > have everything working except that if the student opens Word or Excel, they
> still
> > > have access to the C:\. Any help would be appreciated. Basically I want them to
> only
> > > be able to read/write files from either their personal My Documents folder or to
> a
> > > specific
> > > >
> > > > Thanks,
> > > > Chris
> > >
> > >
> > >
>
>
>
Anonymous
July 1, 2004 9:05:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

When you select add file you can type in path/file name in the box and add it to
the template instead of browsing for it. --- Steve

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:7A8FCFEE-F807-4D27-837B-9A7E203199A1@microsoft.com...
> Ok. I think I understand. However, what if there is a folder on the local
computer where I want to control access but not on the computer where I am
running the GPMC? Thanks for your help.
>
> Chris
>
> "Steven L Umbach" wrote:
>
> > Choose your system drive, probably C, and assign permissions to that. Then
all
> > computers under the scope of influence of that GPO will have those
permissions
> > applied to the system drive on their computer when security policy is
applied to
> > them. The link below may help. --- Steve
> >
> >
http://www.microsoft.com/resources/documentation/Window...
> > http://tinyurl.com/2ealx -- same link as above, shorter.
> >
> > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > news:EC74A9F1-0C7C-4AF9-8903-797B8AD5B8A9@microsoft.com...
> > > Ok, when I go through the GPMC, and navigate down to File System, I right
click and
> > I see add a file. When I click add a file, I get my local file system. How
does this
> > help me to set permissions on the student PCs?
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > You can change the ntfs permissions to the root/drive folder to
read/list/execute
> > for
> > > > users/everyone which will not allow them to write to or delete files in
that
> > folder.
> > > > I would not recommend removing all permissions for users to the drive
folder.
> > You
> > > > can use Group Policy at the domain/OU level, though I suggest doing it
at the OU
> > > > level and testing it first before rolling out. In the OU go to computer
> > > > configuration/Windows settings/security settings/file system. Then right
click
> > and
> > > > select new file and select the drive folder. Configure your permissions
in edit
> > > > security and be sure to add administrators and system with full control.
> > IMPORTANT!
> > > > Be sure to select the FIRST option of propagate and NOT replace or
permissions
> > for
> > > > all the user profiles will get screwed up and take on inheritable
permissions.
> > That
> > > > is why you need to test first and make sure profile permissions are
correct in
> > that
> > > > users by default have full permissions to their profile folder and the
folder
> > does
> > > > not inherit permissions. Note that doing this will delay logon to
computers as
> > long
> > > > as the policy is in place. I recommend that you delete the entry after a
few days
> > [or
> > > > unlink the GPO if using an OU] when you are convinced all computers have
had the
> > > > policy applied. Deleting the entry will not make permissions go back to
default,
> > > > though any new installs will get default permissions. You may also have
to
> > manually
> > > > delete folders that users have already created as they would be the
owner and may
> > > > have excessive permissions still or be able to change permissions back
to allow
> > then
> > > > to write access. --- Steve
> > > >
> > > >
> > > > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > > > news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> > > > > Is there a way I can deny rights to folders on a local machine via the
GPO? I
> > work
> > > > for a private K-12 and I am trying to lock down the PC throught the GPO.
I think
> > I
> > > > have everything working except that if the student opens Word or Excel,
they
> > still
> > > > have access to the C:\. Any help would be appreciated. Basically I want
them to
> > only
> > > > be able to read/write files from either their personal My Documents
folder or to
> > a
> > > > specific
> > > > >
> > > > > Thanks,
> > > > > Chris
> > > >
> > > >
> > > >
> >
> >
> >
!