[gptalk] Re: drive access attention Doug

• From: "Delaney, Doug" <doug.delaney@xxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Fri, 22 Sep 2006 11:34:47 -0400

Eric,
 
in the normal security properties dialog, you will need to add all
accounts, such as Administrators, System, Power Users, etc. that match
the current permissions on the C: drive.  Then using the advanced
button, you can add the users group multiple times.  One of them is
configured as the left side, and this is the key... the Apply onto
field, needs to be set to "this folder only", then add the second entry
for the Users group, and in the apply onto field, make it "subfolders
and files only".  and configure that as the right diagram.  This makes
the first entry remove the users right to create folders or files on C:,
but allows them read/write access to all subfolders and files of C:.
 
We can take this offline, if you need more help.  Glad to see you're
testing it, as that is very important.  Crucial, in fact.
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

 


________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
        Sent: Thursday, September 21, 2006 11:57 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: drive access attention Doug
        
        

        Ok I have tried this a few times and still am a little confused.
How do I do this 2 different ways like shown below?  I can only do one
or the other correct?  when I attempt to recreate what is in the left
pic the system wont let anyone log on

         

        
________________________________


        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
        Sent: Wednesday, September 20, 2006 12:18 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: drive access

         

        I would add the %SystemDrive% to the File System entries, under
Computer Configuration | Windows Settings | Security Settings | File
System and configure the (Advanced) permissions for the user group
required (my example user the "Users" built-in group).  Ensure you
select This folder only in the apply onto field, and deny creating files
and folders.  Also ensure that you configure all other security settings
required (to match what they are locally) as this will replace the
existing permissions with a new set of permissions... so be VERY careful
w/regard to inheritance.  This means you be replacing the entire set of
permissions on drive C: so will will have to add an addition entry for
Users (in my example) that apply onto is set to "subfolders and files
only".   When you click ok, then click on Configure this file or folder
then, select replace permissions on all subfolders and files.  Please
ensure you include ALL other groups currently defined on Drive C...
Everywhere, paying special attention to Program Files, Documents and
Settings, and the %SystemRoot% folders.  AGAIN, you are replacing ALL
security settings on drive C: using this method.  But, it gives you
complete and granular control.  You also want to TEST using only one
entry for users at the root of C:, and see if that does or does not
replace all lower permissions (subfolders) if you select propagate
inheritable permissions on all subfolders and files (instead of
replace), but I have not had the expected results using that in the
past.  Warning: Don't lock out Administrators or SYSTEM...

         

         

        Such as 

            

         

        Doug Delaney
        GM Desktop Engineering
        Global Client Engineering GM
        1075 W. Entrance Dr., MS 2B, Cube 2130
        Auburn Hills, MI 48326
        Lab: 248-365-9187
        Tel: 248-754-7917
        Pg: 248-870-0306 pager
        Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

        Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

         

                 

                
________________________________


                From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
                Sent: Wednesday, September 20, 2006 12:48 PM
                To: gptalk@xxxxxxxxxxxxx
                Subject: [gptalk] drive access

                Anyone know how to make the root of c non accessible.  I
have told the group policy not to allow saving of files to c however if
you creat a new folder you can save to that folder.  Anyone know how to
stop this?

• Follow-Ups:
  • [gptalk] Re: drive access attention Doug
    • From: Eric Middleton
  • [gptalk] Re: drive access attention Doug
    • From: Eric Middleton
  • [gptalk] Re: drive access attention Doug
    • From: Eric Middleton

• References:
  • [gptalk] Re: drive access attention Doug
    • From: Eric Middleton

Other related posts:

• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug
• » [gptalk] Re: drive access attention Doug

1. Home
2. gptalk
3. Archive
4. 09-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---