Group policy in Win2K - Does it have any use really?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is it possible to prevent users’ access to system folder (C:\WINNT) or system drive (drive C: ) through command prompt? We discovered that hiding and preventing access to C: drive through group policy has no meaning, if a user can access the same using the command prompt. Preventing users’ access to command prompt is not a good idea (it is required, especially in an educational institution for verity of reason). Also we found that it is possible to access denied resource (like drive C: ) using other methods (preventing access to command prompt has no use if you can use your own program to do the same)

We are evaluating Windows 2000 to see if it fits and behaves well in our organization. So far (compared to Linux) results are not so encouraging. Is it possible to lockdown a user to his/her home directory (like that in Linux)

Regards
Alertey
 
Yes. Change the permissions on the folders you want to
keep the user out of via Group Polict. You can also turn
off command prompt access for users. Your apps will still
run.

Cheers.

Colin
-----Original Message-----
Is it possible to prevent usersâ?T access to system
Click to expand...
folder (C:\WINNT) or system drive (drive C: ) through
command prompt? We discovered that hiding and preventing
access to C: drive through group policy has no meaning, if
a user can access the same using the command prompt.
Preventing usersâ?T access to command prompt is not a good
idea (it is required, especially in an educational
institution for verity of reason). Also we found that it
is possible to access denied resource (like drive C: )
using other methods (preventing access to command prompt
has no use if you can use your own program to do the same).
We are evaluating Windows 2000 to see if it fits and
Click to expand...
behaves well in our organization. So far (compared to
Linux) results are not so encouraging. Is it possible to
lockdown a user to his/her home directory (like that in
Linux)?
 
Comparing Group Policy to ACLs across OS is like comparing apples to
bananas.

The basic mechanism of user access control is through ACLs. If all your
users are only in the usual "Users" group and that group does not have Read
ACL to any resource in C:\WINNT, Windows itself will absolutely deny access
to those files from the users no matter how they try to access the file.

Linux uses basically the same idea, so I'm not certain what is "not so
encouraging" in the comparison since it's essentially incomparable and
incomplete. The "Documents and Settings" folder is analogous to the /home
directory, and each user only has ACL to their own folders underneath here.
If you control the user's group membership, you can control their
file/directory access completely by ACLs.

Group Policy controls additional privileges and should be considered an
additional compliment to ACLs.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
message Is it possible to prevent users' access to system folder (C:\WINNT) or
system drive (drive C: ) through command prompt? We discovered that hiding
and preventing access to C: drive through group policy has no meaning, if a
user can access the same using the command prompt. Preventing users' access
to command prompt is not a good idea (it is required, especially in an
educational institution for verity of reason). Also we found that it is
possible to access denied resource (like drive C: ) using other methods
(preventing access to command prompt has no use if you can use your own
program to do the same).

We are evaluating Windows 2000 to see if it fits and behaves well in our
organization. So far (compared to Linux) results are not so encouraging. Is
it possible to lockdown a user to his/her home directory (like that in
Linux)?

Regards,
Alerteye
 
Back
Top