[gptalk] Re: drive access attention Doug
- From: "Delaney, Doug" <doug.delaney@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 22 Sep 2006 13:42:49 -0400
Well, I was suggesting that you use the built-in "Users" group, not
individual user IDs. but, the other groups also have to be added to the
permissions for C: with the appropriate Full Control (or whatever)
permissions for each group (Administrators, SYSTEM, etc) as the client
machines have by default (depending on your security situation, or
template applied to the machine (i.e, XPCompatws.sdb). You are building
a list of Security principles (groups) that have specific types of
access to drive C: All of drive C: This is intended to be applied from
a GPO, so when you add the Users group, (if your editing from a server)
would be %ComputerName%\Users for the group name.
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Friday, September 22, 2006 12:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug
Thanks man I got it finaly. My problem was I was selecting a
group instead of the user on the local machine. Thanks again man you
were a great help. Holla if you need anything
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Friday, September 22, 2006 10:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug
Eric,
in the normal security properties dialog, you will need to add
all accounts, such as Administrators, System, Power Users, etc. that
match the current permissions on the C: drive. Then using the advanced
button, you can add the users group multiple times. One of them is
configured as the left side, and this is the key... the Apply onto
field, needs to be set to "this folder only", then add the second entry
for the Users group, and in the apply onto field, make it "subfolders
and files only". and configure that as the right diagram. This makes
the first entry remove the users right to create folders or files on C:,
but allows them read/write access to all subfolders and files of C:.
We can take this offline, if you need more help. Glad to see
you're testing it, as that is very important. Crucial, in fact.
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Thursday, September 21, 2006 11:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug
Ok I have tried this a few times and still am a little
confused. How do I do this 2 different ways like shown below? I can
only do one or the other correct? when I attempt to recreate what is in
the left pic the system wont let anyone log on
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, September 20, 2006 12:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access
I would add the %SystemDrive% to the File System
entries, under Computer Configuration | Windows Settings | Security
Settings | File System and configure the (Advanced) permissions for the
user group required (my example user the "Users" built-in group).
Ensure you select This folder only in the apply onto field, and deny
creating files and folders. Also ensure that you configure all other
security settings required (to match what they are locally) as this will
replace the existing permissions with a new set of permissions... so be
VERY careful w/regard to inheritance. This means you be replacing the
entire set of permissions on drive C: so will will have to add an
addition entry for Users (in my example) that apply onto is set to
"subfolders and files only". When you click ok, then click on
Configure this file or folder then, select replace permissions on all
subfolders and files. Please ensure you include ALL other groups
currently defined on Drive C... Everywhere, paying special attention to
Program Files, Documents and Settings, and the %SystemRoot% folders.
AGAIN, you are replacing ALL security settings on drive C: using this
method. But, it gives you complete and granular control. You also want
to TEST using only one entry for users at the root of C:, and see if
that does or does not replace all lower permissions (subfolders) if you
select propagate inheritable permissions on all subfolders and files
(instead of replace), but I have not had the expected results using that
in the past. Warning: Don't lock out Administrators or SYSTEM...
Such as
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely
for the addressee. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Wednesday, September 20, 2006 12:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] drive access
Anyone know how to make the root of c non
accessible. I have told the group policy not to allow saving of files
to c however if you creat a new folder you can save to that folder.
Anyone know how to stop this?
- References:
- [gptalk] Re: drive access attention Doug
- From: Eric Middleton
- [gptalk] Re: drive access attention Doug
Other related posts:
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug
- » [gptalk] Re: drive access attention Doug