Permissions on 'My documents'

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Dear All,
How can I provide 'write' access to users on their 'My Documents'
folder, at the same time denying them 'write' access on their local drive?
Can this be possible without redirecting ‘My documents’ to a network
folder?

Regards
Ram
 
Ram,
From your post's implications it seems you are considering placing a
Deny of Write over all hard disk on a user's system, or or otherwise
effecting removal of all grants of Write - with the exception of their
My Documents.

Any account needs the ability to write in some areas outside of their
My Documents.

If you are using an XP client system you will find that users that have
only limited accounts are fairly much restricted to only what is needed,
except that they have a grant at the root of the install drive allowing
them to make new folders at that level and have full control of them
(change the Users grants so read/execute is the only one, removing
the two special grants that allow creates, and remove the Creator
Owner grant, and DO NOT use the checkbox that makes the change
over all that is contained).
If there are other partitions besides the install partition, adjust those
as desired. You do not need to be so careful with those others as
one MUST BE CAREFUL with the install partition.
 
Thanks Roger.
But how can I restrict users from creating folders on the root through GPO.

Regards
Ram
 
It at first seems simple to do so, using any of a number of ways (a startup
script that uses xcacls, or applies a security conf template).
However, test, test, test as the normal settings would cause a propagation
onto the substructure, but what you want to do is to leave all existing
spots
where inheritance is block as they are, changing only the ACL on the root.
 
Hi Roger,
Got the solution. We need to use the ‘File system’ setting. In the
GPO related to the concerned users, go to
Computer Configuration->Windows setting->Security setting->’File
System’-> Right click on ‘File system’-> Click on ‘Add File’. Select C: drive.
Add the user to the list and modify the security setting to ‘Read and
execute’. In this way, the user will only have read access on C drive.

To provide ‘modify’ access to the user on his profile, go to the GPO
Computer Configuration->Windows setting->Security setting->File system’->
Right click on ‘File system’-> Click on ‘Add File’. Browse to ‘Administrator’
profile in ‘Document and settings’ folder this time. [We assume that you are
using ‘Administrator’ account to modify GPO settings]

Add user to the security list and modify the security setting to ‘Modify’.
This way the users will have ‘write’ and ‘modify’ access on their profile.

Hence the users will be able to create files and folders only on their
profile.

Regards
Ram
 
Back
Top