Archived from groups: microsoft.public.win2000.group_policy (
More info?)
When you select add file you can type in path/file name in the box and add it to
the template instead of browsing for it. --- Steve
"Chris" <Chris@discussions.microsoft.com> wrote in message
news:7A8FCFEE-F807-4D27-837B-9A7E203199A1@microsoft.com...
> Ok. I think I understand. However, what if there is a folder on the local
computer where I want to control access but not on the computer where I am
running the GPMC? Thanks for your help.
>
> Chris
>
> "Steven L Umbach" wrote:
>
> > Choose your system drive, probably C, and assign permissions to that. Then
all
> > computers under the scope of influence of that GPO will have those
permissions
> > applied to the system drive on their computer when security policy is
applied to
> > them. The link below may help. --- Steve
> >
> >
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/aclui_domain.asp
> >
http://tinyurl.com/2ealx -- same link as above, shorter.
> >
> > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > news:EC74A9F1-0C7C-4AF9-8903-797B8AD5B8A9@microsoft.com...
> > > Ok, when I go through the GPMC, and navigate down to File System, I right
click and
> > I see add a file. When I click add a file, I get my local file system. How
does this
> > help me to set permissions on the student PCs?
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > You can change the ntfs permissions to the root/drive folder to
read/list/execute
> > for
> > > > users/everyone which will not allow them to write to or delete files in
that
> > folder.
> > > > I would not recommend removing all permissions for users to the drive
folder.
> > You
> > > > can use Group Policy at the domain/OU level, though I suggest doing it
at the OU
> > > > level and testing it first before rolling out. In the OU go to computer
> > > > configuration/Windows settings/security settings/file system. Then right
click
> > and
> > > > select new file and select the drive folder. Configure your permissions
in edit
> > > > security and be sure to add administrators and system with full control.
> > IMPORTANT!
> > > > Be sure to select the FIRST option of propagate and NOT replace or
permissions
> > for
> > > > all the user profiles will get screwed up and take on inheritable
permissions.
> > That
> > > > is why you need to test first and make sure profile permissions are
correct in
> > that
> > > > users by default have full permissions to their profile folder and the
folder
> > does
> > > > not inherit permissions. Note that doing this will delay logon to
computers as
> > long
> > > > as the policy is in place. I recommend that you delete the entry after a
few days
> > [or
> > > > unlink the GPO if using an OU] when you are convinced all computers have
had the
> > > > policy applied. Deleting the entry will not make permissions go back to
default,
> > > > though any new installs will get default permissions. You may also have
to
> > manually
> > > > delete folders that users have already created as they would be the
owner and may
> > > > have excessive permissions still or be able to change permissions back
to allow
> > then
> > > > to write access. --- Steve
> > > >
> > > >
> > > > "Chris" <Chris@discussions.microsoft.com> wrote in message
> > > > news:ACB89F9B-481E-4EA2-A2CE-A56D32016B42@microsoft.com...
> > > > > Is there a way I can deny rights to folders on a local machine via the
GPO? I
> > work
> > > > for a private K-12 and I am trying to lock down the PC throught the GPO.
I think
> > I
> > > > have everything working except that if the student opens Word or Excel,
they
> > still
> > > > have access to the C:\. Any help would be appreciated. Basically I want
them to
> > only
> > > > be able to read/write files from either their personal My Documents
folder or to
> > a
> > > > specific
> > > > >
> > > > > Thanks,
> > > > > Chris
> > > >
> > > >
> > > >
> >
> >
> >