[gptalk] Re: drive access attention Doug

  • From: "Delaney, Doug" <doug.delaney@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 22 Sep 2006 13:42:49 -0400

Well, I was suggesting that you use the built-in "Users" group, not
individual user IDs.  but, the other groups also have to be added to the
permissions for C: with the appropriate Full Control (or whatever)
permissions for each group (Administrators, SYSTEM, etc) as the client
machines have by default (depending on your security situation, or
template applied to the machine (i.e, XPCompatws.sdb).  You are building
a list of Security principles (groups) that have specific types of
access to drive C:  All of drive C:  This is intended to be applied from
a GPO, so when you add the Users group, (if your editing from a server)
would be %ComputerName%\Users for the group name.
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

 


________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
        Sent: Friday, September 22, 2006 12:17 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: drive access attention Doug
        
        

        Thanks man I got it finaly. My problem was I was selecting a
group instead of the user on the local machine.  Thanks again man you
were a great help.  Holla if you need anything

         

        
________________________________


        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
        Sent: Friday, September 22, 2006 10:35 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: drive access attention Doug

         

        Eric,

         

        in the normal security properties dialog, you will need to add
all accounts, such as Administrators, System, Power Users, etc. that
match the current permissions on the C: drive.  Then using the advanced
button, you can add the users group multiple times.  One of them is
configured as the left side, and this is the key... the Apply onto
field, needs to be set to "this folder only", then add the second entry
for the Users group, and in the apply onto field, make it "subfolders
and files only".  and configure that as the right diagram.  This makes
the first entry remove the users right to create folders or files on C:,
but allows them read/write access to all subfolders and files of C:.

         

        We can take this offline, if you need more help.  Glad to see
you're testing it, as that is very important.  Crucial, in fact.

         

        Doug Delaney
        GM Desktop Engineering
        Global Client Engineering GM
        1075 W. Entrance Dr., MS 2B, Cube 2130
        Auburn Hills, MI 48326
        Lab: 248-365-9187
        Tel: 248-754-7917
        Pg: 248-870-0306 pager
        Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

        Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

         

                 

                
________________________________


                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
                Sent: Thursday, September 21, 2006 11:57 AM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: drive access attention Doug

                Ok I have tried this a few times and still am a little
confused. How do I do this 2 different ways like shown below?  I can
only do one or the other correct?  when I attempt to recreate what is in
the left pic the system wont let anyone log on

                 

                
________________________________


                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
                Sent: Wednesday, September 20, 2006 12:18 PM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] Re: drive access

                 

                I would add the %SystemDrive% to the File System
entries, under Computer Configuration | Windows Settings | Security
Settings | File System and configure the (Advanced) permissions for the
user group required (my example user the "Users" built-in group).
Ensure you select This folder only in the apply onto field, and deny
creating files and folders.  Also ensure that you configure all other
security settings required (to match what they are locally) as this will
replace the existing permissions with a new set of permissions... so be
VERY careful w/regard to inheritance.  This means you be replacing the
entire set of permissions on drive C: so will will have to add an
addition entry for Users (in my example) that apply onto is set to
"subfolders and files only".   When you click ok, then click on
Configure this file or folder then, select replace permissions on all
subfolders and files.  Please ensure you include ALL other groups
currently defined on Drive C...  Everywhere, paying special attention to
Program Files, Documents and Settings, and the %SystemRoot% folders.
AGAIN, you are replacing ALL security settings on drive C: using this
method.  But, it gives you complete and granular control.  You also want
to TEST using only one entry for users at the root of C:, and see if
that does or does not replace all lower permissions (subfolders) if you
select propagate inheritable permissions on all subfolders and files
(instead of replace), but I have not had the expected results using that
in the past.  Warning: Don't lock out Administrators or SYSTEM...

                 

                 

                Such as 

                    

                 

                Doug Delaney
                GM Desktop Engineering
                Global Client Engineering GM
                1075 W. Entrance Dr., MS 2B, Cube 2130
                Auburn Hills, MI 48326
                Lab: 248-365-9187
                Tel: 248-754-7917
                Pg: 248-870-0306 pager
                Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>


                Note: The information in this email is intended solely
for the addressee. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it is prohibited.

                 

                         

                        
________________________________


                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
                        Sent: Wednesday, September 20, 2006 12:48 PM
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] drive access

                        Anyone know how to make the root of c non
accessible.  I have told the group policy not to allow saving of files
to c however if you creat a new folder you can save to that folder.
Anyone know how to stop this?

JPEG image

JPEG image

Other related posts: