Granting access to C:

[Bryan486]

Hi there,

Can anyone help with the following?

Is there a way of using Group Policy for an OU to set permissions on the C: drive of the PC a user logs on to?

Basically I need a user to have the required access to install programs via a logon script. At present, everything I try fails and trying to write anything to C:\ C:\Windows etc says "access denied" when logged in as the user (administrators are fine).

I'm sure under NT4 you could just make the DomainUsers group a member of the Local Power Users group but this doesn't work on Server 2000 / Windows XP.

Any help would be appreciated and the more secure the suggestion, the better - obviously I don't want them to log on to a server (heaven forbid) and have full access to that.

Many thanks,
Bryan

 

[Seaspray0]

In your script, you can adjust the NTFS Access Control List (ACL) on C: using cacls.exe to give permissions to domain users, install the program, then use cacls.exe at the end of the script to remove those permissions.

A+/MCP/MCSE/MCDBA

 

[Seaspray0]

My last post won't work; would require too much permissions. Why not just simply adjust the NTFS permission on c: of the local PC to give domain users the right to read/write to it?

A+/MCP/MCSE/MCDBA

 

[Bryan486]

Hi,

Thanks for the reply.

Yes, I can do that (and have done on one or two pc's) but it's a bit of a pain to visit each pc to do it.

I did try something with cacls without any success.

This would seem like something most administrators would want to do at some point (ie, set the permission today to install something tomorrow morning, then revoke the permission once installed). I find it odd that there isn't something I can do centrally to switch the permission on and off.

Any other ideas anyone?!

Thanks in advance,
Bryan

 

[Seaspray0]

You can use group policy to make domain users members of the local power users group.

Computer Configuration>Windows Settings>Security Settings>Restricted Groups

Either make sure that the OU you apply this to doesn't contain computers you do not want this to apply to (i.e. domain controllers, member servers). Apply this to an OU that only has client PC's you wish to promote domain users to local Power Users.

or you can also do the following:

make a security group called "special computers" and make all the domain controllers, member pc's, etc. members of this group. Then through advanced view, edit the security permissions on the GPO and DENY "apply policy" to this computer group. This prevents this policy from applying to those computers in that group.


A+/MCP/MCSE/MCDBA

 

[Bryan486]

Thanks but this seems to be a problem too: I had made DomainUsers a member of the power users group on the local pc but they still have no rights to install anything.

I can't think of anything else I've done which might restrict it.

Can anyone confirm that make a user a member of local Power Users actually works?

Thanks very much for your reply though - this problem is driving me mad and it's very useful to have some ideas.

Bryan

 

[Bryan486]

Sorry - when I said "Can anyone confirm that make a user a member of local Power Users actually works?", I meant on their network, as it doesn't seem to on mine.

Thanks for any help.

Bryan