Click here to get back home

Deny install on c:\ drive
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Deny install on c:\ drive Sam 12-10-2005
Posted by Sam on December 10, 2005, 4:43 pm
Please log in for more thread options
 Is it possible to deny a group to save any data and install any programs on
c:\ (system drive) ?

Thank you,
Sam



Posted by Dave on December 10, 2005, 5:21 pm
Please log in for more thread options
 sure. but you will have to be careful about where their profiles are
stored. and i'm not sure that there won't be some other side effects. in
win 2000/xp there is the 'users' group who can't write to many of the
folders on the system drive... but they still can have their own profile on
there.

> Is it possible to deny a group to save any data and install any programs
> on c:\ (system drive) ?
>
> Thank you,
> Sam
>



Posted by Steven L Umbach on December 10, 2005, 7:50 pm
Please log in for more thread options
As Dave referred to the users ability to save files will be a function of
where they have the permission to write to folders which would be in their
user profile, parts of the all users profile [shared folder], and also to
subfolders of the root/drive folder that they create which can be changed if
you look at the advanced permissions of the root/drive folder for users. By
default regular users can not write to the program files folder or \windows
folder structure with the exception of windows\temp folder where they have
special permissions to write files and subfolders. Regular users will not be
able to install most applications but not all though for XP Pro computers
you can use Software Restriction Policies to really lockdown a computer with
mostly path and hash rules as explained in the link below. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

> Is it possible to deny a group to save any data and install any programs
> on c:\ (system drive) ?
>
> Thank you,
> Sam
>



Posted by Leandro Amore on December 11, 2005, 5:05 pm
Please log in for more thread options
if you want to deny installation why don't you use Software Policies.??
> As Dave referred to the users ability to save files will be a function of
> where they have the permission to write to folders which would be in their
> user profile, parts of the all users profile [shared folder], and also to
> subfolders of the root/drive folder that they create which can be changed
> if you look at the advanced permissions of the root/drive folder for
> users. By default regular users can not write to the program files folder
> or \windows folder structure with the exception of windows\temp folder
> where they have special permissions to write files and subfolders. Regular
> users will not be able to install most applications but not all though for
> XP Pro computers you can use Software Restriction Policies to really
> lockdown a computer with mostly path and hash rules as explained in the
> link below. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
>> Is it possible to deny a group to save any data and install any programs
>> on c:\ (system drive) ?
>>
>> Thank you,
>> Sam
>>
>
>



Posted by Roger Abell [MVP] on December 11, 2005, 5:59 pm
Please log in for more thread options
> if you want to deny installation why don't you use Software Policies.??

If only it were that simple . . . or, if it is would you clue us in ??

Part of the issue is that there are many installers one would have to
disallow with software policy, and there are installs that are only copy
to disk (without installers, reg entries, component registrations, etc.)

--
Roger Abell
Microsoft MVP (Windows Server : Security)

>> As Dave referred to the users ability to save files will be a function of
>> where they have the permission to write to folders which would be in
>> their user profile, parts of the all users profile [shared folder], and
>> also to subfolders of the root/drive folder that they create which can be
>> changed if you look at the advanced permissions of the root/drive folder
>> for users. By default regular users can not write to the program files
>> folder or \windows folder structure with the exception of windows\temp
>> folder where they have special permissions to write files and subfolders.
>> Regular users will not be able to install most applications but not all
>> though for XP Pro computers you can use Software Restriction Policies to
>> really lockdown a computer with mostly path and hash rules as explained
>> in the link below. --- Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>
>>> Is it possible to deny a group to save any data and install any programs
>>> on c:\ (system drive) ?
>>>
>>> Thank you,
>>> Sam
>>>
>>
>>
>
>



Similar ThreadsPosted
c:\ drive permissions June 23, 2005, 5:10 pm
Shared drive VS Security September 19, 2005, 4:22 pm
hide administrative drive November 1, 2005, 11:00 pm
Can't run 16 bit app from network drive in W2003 SP1 January 30, 2006, 5:09 pm
Drive Access Restriction April 20, 2006, 12:33 am
Drive access to particular user December 3, 2006, 7:54 am
CDROM Drive access denied October 31, 2005, 10:40 am
Not able to view secondary hard drive January 11, 2006, 9:53 am
Secrity applications that run on USB flash drive April 29, 2006, 11:06 am
Mapping drive on XP to server - what authentication is used? January 10, 2008, 3:11 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap