G
guy
Is there away to restrict users from accessing certain folders locally on
there pc, through group policy. so in user configuration.
there pc, through group policy. so in user configuration.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
MadDHatteR
This is done with the NTFS access control lists (right click, properties,
security), not GPOs. In a round-about way, you could conceivably use GPOs to
enforce NTFS permissions, but that's unnecessary. Simply don't check the
"Allow" box for the given file(s)/folder(s) for a given user/group. If you
want the permissions to propagate to sub-folders, don't forget to check that
in the advanced options.
\\ MadDHatteR
security), not GPOs. In a round-about way, you could conceivably use GPOs to
enforce NTFS permissions, but that's unnecessary. Simply don't check the
"Allow" box for the given file(s)/folder(s) for a given user/group. If you
want the permissions to propagate to sub-folders, don't forget to check that
in the advanced options.
\\ MadDHatteR
G
guy
We are wanting to do it from GP, cause we have 2600 users, i dont want to
touch the machines, any ideas?>
touch the machines, any ideas?>
M
MadDHatteR
guy said:We are wanting to do it [set NTFS permissions on local workstations] from GP, cause
we have 2600 users, i dont want to touch the machines, any ideas?
My opinion is these permissions should've been locked down from the very
beginning (not to blame you -- I've no idea what your setup is), but given
your current position I'd make a cmd/VB/Java/Perl/<?whatever?> script to set
the desired permissions in the desired locations then:
for <each computer in the OU/domain>
rem "each computer" can be from a textfile created by another script...
whatever
copy fixperms.cmd \\%%computer\C$\temp
AT \\%%computer <choose a time> C:\temp\fixperms.cmd
next
fixperms.cmd could be as simple as a batch script that uses the cacls
command to assign/revoke permissions as necessary. If you like it better, it
could be something more complex/elegant. You should be able to find scripts
on Technet that will enumerate computers in an ou/domain, as well as scripts
to set permissions.
\\ MadDHatteR
R
Rolf
Look in Computer Configuration -> Windows Settings -> Security Settings ->
File System
There you can add files and folders and specify rights.
File System
There you can add files and folders and specify rights.
G
guy
But doesnt that affect the computer only, and will not give admin or power
users the right they need to certain programs?
users the right they need to certain programs?
R
Rolf
You can give different permissions to your user groups. Both local groups
and groups in your network.
Power users can have full control and ordinary domain users can have no
access to different folders.
Create an test OU for trying this out.
I'm quite sure you will manage to do what you want.
Rolf
and groups in your network.
Power users can have full control and ordinary domain users can have no
access to different folders.
Create an test OU for trying this out.
I'm quite sure you will manage to do what you want.
Rolf