[gptalk] Re: drive access
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 20 Sep 2006 10:47:22 -0700
Doug's points are well taken here. Using File System Security policy is
DANGEROUS when you're operating on the root of a volume. This is why I tend
to just prefer using something like cacls.exe instead of GP. Cacls lets you
append permissions, whereas GP is not as flexible. And since you only need
to do this once, GP's periodic refresh feature is probably overkill.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Delaney, Doug
Sent: Wednesday, September 20, 2006 10:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access
I would add the %SystemDrive% to the File System entries, under Computer
Configuration | Windows Settings | Security Settings | File System and
configure the (Advanced) permissions for the user group required (my example
user the "Users" built-in group). Ensure you select This folder only in the
apply onto field, and deny creating files and folders. Also ensure that you
configure all other security settings required (to match what they are
locally) as this will replace the existing permissions with a new set of
permissions... so be VERY careful w/regard to inheritance. This means you
be replacing the entire set of permissions on drive C: so will will have to
add an addition entry for Users (in my example) that apply onto is set to
"subfolders and files only". When you click ok, then click on Configure
this file or folder then, select replace permissions on all subfolders and
files. Please ensure you include ALL other groups currently defined on
Drive C... Everywhere, paying special attention to Program Files, Documents
and Settings, and the %SystemRoot% folders. AGAIN, you are replacing ALL
security settings on drive C: using this method. But, it gives you complete
and granular control. You also want to TEST using only one entry for users
at the root of C:, and see if that does or does not replace all lower
permissions (subfolders) if you select propagate inheritable permissions on
all subfolders and files (instead of replace), but I have not had the
expected results using that in the past. Warning: Don't lock out
Administrators or SYSTEM...
Such as
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: <mailto:Doug.Delaney@xxxxxxx> Doug.Delaney@xxxxxxx
Note: The information in this email is intended solely for the addressee.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it is prohibited.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Eric Middleton
Sent: Wednesday, September 20, 2006 12:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] drive access
Anyone know how to make the root of c non accessible. I have told the group
policy not to allow saving of files to c however if you creat a new folder
you can save to that folder. Anyone know how to stop this?
Other related posts:
