Restrict User from certain folders

G

guy

Is there away to restrict users from accessing certain folders locally on
there pc, through group policy. so in user configuration.
 
M

MadDHatteR

This is done with the NTFS access control lists (right click, properties,
security), not GPOs. In a round-about way, you could conceivably use GPOs to
enforce NTFS permissions, but that's unnecessary. Simply don't check the
"Allow" box for the given file(s)/folder(s) for a given user/group. If you
want the permissions to propagate to sub-folders, don't forget to check that
in the advanced options.

\\ MadDHatteR
 
G

guy

We are wanting to do it from GP, cause we have 2600 users, i dont want to
touch the machines, any ideas?>
 
M

MadDHatteR

guy said:
We are wanting to do it [set NTFS permissions on local workstations] from GP, cause
we have 2600 users, i dont want to touch the machines, any ideas?
Click to expand...

My opinion is these permissions should've been locked down from the very
beginning (not to blame you -- I've no idea what your setup is), but given
your current position I'd make a cmd/VB/Java/Perl/<?whatever?> script to set
the desired permissions in the desired locations then:

for <each computer in the OU/domain>
rem "each computer" can be from a textfile created by another script...
whatever
copy fixperms.cmd \\%%computer\C$\temp
AT \\%%computer <choose a time> C:\temp\fixperms.cmd
next

fixperms.cmd could be as simple as a batch script that uses the cacls
command to assign/revoke permissions as necessary. If you like it better, it
could be something more complex/elegant. You should be able to find scripts
on Technet that will enumerate computers in an ou/domain, as well as scripts
to set permissions.

\\ MadDHatteR
 
R

Rolf

Look in Computer Configuration -> Windows Settings -> Security Settings ->
File System
There you can add files and folders and specify rights.
 
G

guy

But doesnt that affect the computer only, and will not give admin or power
users the right they need to certain programs?
 
R

Rolf

You can give different permissions to your user groups. Both local groups
and groups in your network.
Power users can have full control and ordinary domain users can have no
access to different folders.
Create an test OU for trying this out.
I'm quite sure you will manage to do what you want.

Rolf
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restricting FTP access via windows Explorer 0
Prevent users to delete the files on network and hide the IE to br 1
Restricting domain user account from logging on certain member workstations 2
Denying domain user from loggin on member workstation 2
How to Completely Restrict Floppy/CD-ROM Access using a Group Policy? 6
GPO to restrict logons to some computers 3
Restrict Startup 5
Edit group policy for certain users only 1

Top