[gptalk] Re: drive access

  • From: "Delaney, Doug" <doug.delaney@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Sep 2006 13:17:35 -0400

I would add the %SystemDrive% to the File System entries, under Computer
Configuration | Windows Settings | Security Settings | File System and
configure the (Advanced) permissions for the user group required (my
example user the "Users" built-in group).  Ensure you select This folder
only in the apply onto field, and deny creating files and folders.  Also
ensure that you configure all other security settings required (to match
what they are locally) as this will replace the existing permissions
with a new set of permissions... so be VERY careful w/regard to
inheritance.  This means you be replacing the entire set of permissions
on drive C: so will will have to add an addition entry for Users (in my
example) that apply onto is set to "subfolders and files only".   When
you click ok, then click on Configure this file or folder then, select
replace permissions on all subfolders and files.  Please ensure you
include ALL other groups currently defined on Drive C...  Everywhere,
paying special attention to Program Files, Documents and Settings, and
the %SystemRoot% folders.  AGAIN, you are replacing ALL security
settings on drive C: using this method.  But, it gives you complete and
granular control.  You also want to TEST using only one entry for users
at the root of C:, and see if that does or does not replace all lower
permissions (subfolders) if you select propagate inheritable permissions
on all subfolders and files (instead of replace), but I have not had the
expected results using that in the past.  Warning: Don't lock out
Administrators or SYSTEM...
 
 
Such as 
    
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

 


________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
        Sent: Wednesday, September 20, 2006 12:48 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] drive access
        
        

        Anyone know how to make the root of c non accessible.  I have
told the group policy not to allow saving of files to c however if you
creat a new folder you can save to that folder.  Anyone know how to stop
this?

JPEG image

JPEG image

Other related posts: