Keeping a user captive in XP - restricting writes, directories, etc.

[giantcrazy]

Hi all-

Does anyone know if there's a way to limit where a user can write to
in XP? Preferably without add-on software, but if commercial access
control software is required, recommendations are helpful.

Without getting into the long and short of it - I have some machines
that are going to be shared, all amongst authorized users. I'd rather
that the users don't see each other's data (which, just using NTFS
permissions would be sufficient if the users behaved properly), so I'd
like to do two things - one, keep all writes (except for operating
system patches/updates/caches/etc.) off the C: drive and into a
designated area (think sandbox, but not quite). Two, I'm going to
devise a set of scripts that would run at logon and logoff, to cleanse
this area to ensure that no data from the prior user has been left
behind.

Anyone know if what I'm suggesting is feasible/doable? I've never
tried to keep a user completely off C: before, and the research I've
done thus far indicates it's not possible. It is very similar to most
Citrix deployments, where a thin-client user would be given a C:\
that's read-only (to them at least).

Any advice is greatly appreciated!

-GC

 

[Shenan Stanley]

Does anyone know if there's a way to limit where a user can write to
in XP? Preferably without add-on software, but if commercial access
control software is required, recommendations are helpful.

File and Folder permissions (NTFS.)

Without getting into the long and short of it - I have some machines
that are going to be shared, all amongst authorized users. I'd
rather that the users don't see each other's data (which, just
using NTFS permissions would be sufficient if the users behaved
properly), so I'd like to do two things - one, keep all writes
(except for operating system patches/updates/caches/etc.) off the
C: drive and into a designated area (think sandbox, but not quite).
Two, I'm going to devise a set of scripts that would run at logon
and logoff, to cleanse this area to ensure that no data from the
prior user has been left behind.

Unless you have given your users too much power on the local machine - they
should not be able to see one another's files anyway.

Anyone know if what I'm suggesting is feasible/doable? I've never
tried to keep a user completely off C: before, and the research I've
done thus far indicates it's not possible. It is very similar to
most Citrix deployments, where a thin-client user would be given a
C:\ that's read-only (to them at least).

Any advice is greatly appreciated!

I'm really having trouble seeing what it is you are trying to accomplish vs.
just using NTFS file/folder permissions. I have managed machines that had
potentially 40,000 users per machines (whole open labs for universities) and
no matter how many users accessed a given machine during a given period of
time - I had no worries that one user could see/affect another user's files.

Please explain this statement in full...

"... which, just using NTFS permissions would be sufficient if the users
behaved properly ..."

Are you trying to resolve a social/training issue with technology?

 

[giantcrazy]

Shenan-

The problem is I can't guarantee that these users won't have
administrative rights. That's why the goal here is to combine the
NTFS permissions with a cleanup utility, either scripts or software,
that would take all the files created by the previous user and delete
them. Granted, there are pitfalls there too (people can bypass
startup scripts, etc.), but I want to attack the problem on as many
levels possible.

Thanks,
-GC

 

[Shenan Stanley]

The problem is I can't guarantee that these users won't have
administrative rights. That's why the goal here is to combine the
NTFS permissions with a cleanup utility, either scripts or software,
that would take all the files created by the previous user and
delete them. Granted, there are pitfalls there too (people can
bypass startup scripts, etc.), but I want to attack the problem on
as many levels possible.

So - as I said - you are trying to fix a social issue with software. This
is a problem that needs to be fixed with policies/procedures and tangible
consequences.

As you seem to know - nothing you do - if the user has administrative
rights - will have the impact it needs. :-(

If the users have roaming profiles - you could change group policies so that
the profile is deleted after it is uploaded back to the server (when the
user logs off.)

 

[giantcrazy]

Not quite a social issue as much as an environmental issue - this is a
large corporate environment which is unfortunately in a pre-merger
state, so there are a lot of complications along the way. If it was
as simple as ensuring that all the users were not granted admin rights
or applying some policy enforcements at the domain level, I'd be a lot
better off :-(

That said - I realize that containing and cleansing the users is
somewhat kludgey, but after examining the parameters that I have to
work with (the need for a solution yesterday, unwillingness of various
administrative groups to work together towards a solution), it's the
only choice I've got.

Besides, after having the suggestion pop up in one of the calls
regarding the requirement, I'm curious more than anything. Is there
any reliable way to force a user into a very limited set of
directories?

 

[Jean Rosenfeld]

Maybe Windows SteadyState would let you do what you want.

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx