[gptalk] Re: drive access attention Doug
- From: "Delaney, Doug" <doug.delaney@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 22 Sep 2006 13:59:44 -0400
If you don't want to "Deny" all users, then deselect "Deny" and do NOT
select "Allow" for the Users group, that way Admins should still be able
to do it, but users won't.
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.
________________________________
From: Delaney, Doug
Sent: Friday, September 22, 2006 1:45 PM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: RE: [gptalk] Re: drive access attention Doug
An Admin is a user too... And, Deny always takes precedence.
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Friday, September 22, 2006 12:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug
Well I spoke to soon. It is working for users but it
also will not let me make a new folder on c. I have added admins and
gave full control but still not letting anyone create a new folder to c
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Friday, September 22, 2006 10:35 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention Doug
Eric,
in the normal security properties dialog, you will need
to add all accounts, such as Administrators, System, Power Users, etc.
that match the current permissions on the C: drive. Then using the
advanced button, you can add the users group multiple times. One of
them is configured as the left side, and this is the key... the Apply
onto field, needs to be set to "this folder only", then add the second
entry for the Users group, and in the apply onto field, make it
"subfolders and files only". and configure that as the right diagram.
This makes the first entry remove the users right to create folders or
files on C:, but allows them read/write access to all subfolders and
files of C:.
We can take this offline, if you need more help. Glad
to see you're testing it, as that is very important. Crucial, in fact.
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended solely
for the addressee. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Thursday, September 21, 2006 11:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access attention
Doug
Ok I have tried this a few times and still am a
little confused. How do I do this 2 different ways like shown below? I
can only do one or the other correct? when I attempt to recreate what
is in the left pic the system wont let anyone log on
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, September 20, 2006 12:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: drive access
I would add the %SystemDrive% to the File System
entries, under Computer Configuration | Windows Settings | Security
Settings | File System and configure the (Advanced) permissions for the
user group required (my example user the "Users" built-in group).
Ensure you select This folder only in the apply onto field, and deny
creating files and folders. Also ensure that you configure all other
security settings required (to match what they are locally) as this will
replace the existing permissions with a new set of permissions... so be
VERY careful w/regard to inheritance. This means you be replacing the
entire set of permissions on drive C: so will will have to add an
addition entry for Users (in my example) that apply onto is set to
"subfolders and files only". When you click ok, then click on
Configure this file or folder then, select replace permissions on all
subfolders and files. Please ensure you include ALL other groups
currently defined on Drive C... Everywhere, paying special attention to
Program Files, Documents and Settings, and the %SystemRoot% folders.
AGAIN, you are replacing ALL security settings on drive C: using this
method. But, it gives you complete and granular control. You also want
to TEST using only one entry for users at the root of C:, and see if
that does or does not replace all lower permissions (subfolders) if you
select propagate inheritable permissions on all subfolders and files
(instead of replace), but I have not had the expected results using that
in the past. Warning: Don't lock out Administrators or SYSTEM...
Such as
Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx
<mailto:Doug.Delaney@xxxxxxx>
Note: The information in this email is intended
solely for the addressee. Access to this email by anyone else is
unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it is prohibited.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton
Sent: Wednesday, September 20, 2006
12:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] drive access
Anyone know how to make the root of c
non accessible. I have told the group policy not to allow saving of
files to c however if you creat a new folder you can save to that
folder. Anyone know how to stop this?
Other related posts:
