S
Sasa
I assigned the "File system" permissions in an Active Directory GPO on
the %systemroot% folder this way: Everyone ALLOW ALL, School personell
group JUST READ, students group DENY ALL.
The problem is the students and teachers cannot delete, rename or copy
files on their own desktop (other groups can) even if it doesn't
inherit the "C:\" permissions. I checked the profiles and the
permissions are correctly assigned to each user's profile directory in
"Documents and Settings".
The error message that pops up when a user tries to delete a file from
the desktop is:"Cannot access C:\ Access denied".
I tried to restrict "C:\" with other group policies, hide device,
disable search button in explorer, disable "Run" in Start menu... but
there are thousands of different ways to access it anyway like the
shortcut properties button "Find target" which could point you
directly in "C:\" or the "explore" option in the right mouse button
menu of the start button which doesn't hide "C:\" at all.
The only possibility is to use the NTFS permissions on the system
root.
I want to prevent users from installing programs in "C:\" or creating
directorys or files and even browsing the C:\ content letting them to
use their desktops like they want. Is there a way?
Thank you.
the %systemroot% folder this way: Everyone ALLOW ALL, School personell
group JUST READ, students group DENY ALL.
The problem is the students and teachers cannot delete, rename or copy
files on their own desktop (other groups can) even if it doesn't
inherit the "C:\" permissions. I checked the profiles and the
permissions are correctly assigned to each user's profile directory in
"Documents and Settings".
The error message that pops up when a user tries to delete a file from
the desktop is:"Cannot access C:\ Access denied".
I tried to restrict "C:\" with other group policies, hide device,
disable search button in explorer, disable "Run" in Start menu... but
there are thousands of different ways to access it anyway like the
shortcut properties button "Find target" which could point you
directly in "C:\" or the "explore" option in the right mouse button
menu of the start button which doesn't hide "C:\" at all.
The only possibility is to use the NTFS permissions on the system
root.
I want to prevent users from installing programs in "C:\" or creating
directorys or files and even browsing the C:\ content letting them to
use their desktops like they want. Is there a way?
Thank you.