If you don't want to "Deny" all users, then deselect "Deny" and do NOT select "Allow" for the Users group, that way Admins should still be able to do it, but users won't. Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. ________________________________ From: Delaney, Doug Sent: Friday, September 22, 2006 1:45 PM To: 'gptalk@xxxxxxxxxxxxx' Subject: RE: [gptalk] Re: drive access attention Doug An Admin is a user too... And, Deny always takes precedence. Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton Sent: Friday, September 22, 2006 12:35 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: drive access attention Doug Well I spoke to soon. It is working for users but it also will not let me make a new folder on c. I have added admins and gave full control but still not letting anyone create a new folder to c ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug Sent: Friday, September 22, 2006 10:35 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: drive access attention Doug Eric, in the normal security properties dialog, you will need to add all accounts, such as Administrators, System, Power Users, etc. that match the current permissions on the C: drive. Then using the advanced button, you can add the users group multiple times. One of them is configured as the left side, and this is the key... the Apply onto field, needs to be set to "this folder only", then add the second entry for the Users group, and in the apply onto field, make it "subfolders and files only". and configure that as the right diagram. This makes the first entry remove the users right to create folders or files on C:, but allows them read/write access to all subfolders and files of C:. We can take this offline, if you need more help. Glad to see you're testing it, as that is very important. Crucial, in fact. Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton Sent: Thursday, September 21, 2006 11:57 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: drive access attention Doug Ok I have tried this a few times and still am a little confused. How do I do this 2 different ways like shown below? I can only do one or the other correct? when I attempt to recreate what is in the left pic the system wont let anyone log on ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug Sent: Wednesday, September 20, 2006 12:18 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: drive access I would add the %SystemDrive% to the File System entries, under Computer Configuration | Windows Settings | Security Settings | File System and configure the (Advanced) permissions for the user group required (my example user the "Users" built-in group). Ensure you select This folder only in the apply onto field, and deny creating files and folders. Also ensure that you configure all other security settings required (to match what they are locally) as this will replace the existing permissions with a new set of permissions... so be VERY careful w/regard to inheritance. This means you be replacing the entire set of permissions on drive C: so will will have to add an addition entry for Users (in my example) that apply onto is set to "subfolders and files only". When you click ok, then click on Configure this file or folder then, select replace permissions on all subfolders and files. Please ensure you include ALL other groups currently defined on Drive C... Everywhere, paying special attention to Program Files, Documents and Settings, and the %SystemRoot% folders. AGAIN, you are replacing ALL security settings on drive C: using this method. But, it gives you complete and granular control. You also want to TEST using only one entry for users at the root of C:, and see if that does or does not replace all lower permissions (subfolders) if you select propagate inheritable permissions on all subfolders and files (instead of replace), but I have not had the expected results using that in the past. Warning: Don't lock out Administrators or SYSTEM... Such as Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Eric Middleton Sent: Wednesday, September 20, 2006 12:48 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] drive access Anyone know how to make the root of c non accessible. I have told the group policy not to allow saving of files to c however if you creat a new folder you can save to that folder. Anyone know how to stop this?