Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group policy Restrictions C:\program Files 1

Status
Not open for further replies.
SteveAudus

SteveAudus

Technical User
Oct 4, 2001
409
GB
I have a group of staff that use a piece of software that writes to C:\program Files on XP Pro Workstations.

I have completly unrestricted access to the local drives,
but how can I allow them access to write into this folder without making them Administrators.... which is never going to happen!!!

Any suggestions?

Cheers,
Steve Audus
Chaucer School UK

 
Sort by date Sort by votes
Can you allow them full control only to the folder(s) that they need to write to? Are all these users in a group? If not I would add them to a group and give the group either read/write perms or full control perms on the folders that they need to write to.
 
Upvote 0 Downvote
Thanks for that suggestion, but they are all in a group,
but I don't fancy having to change the secuirity setting on 300 workstations.

Is it not possible to give groups of users higher security setting, to allow them more access to resources on local machines? Without making them administrators?

Cheers

Steve

 
Upvote 0 Downvote
What is the perms of the group? Make the group a member of Power Users and they should be able to write to the folder.
 
Upvote 0 Downvote
If you are using Windows 2000/2003 group policies then you can add the user Power Users group via Group Policies. That can be found in:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Go there and add Power Users, then place the users or the group of users in there as members. Now by doing it, it will explicitly set it. Meaning that if there are any other users or groups manual set on any machine it will override them. I think if you put the users in as "Members Of" it will merger - but I am not 100%.

The way we do it is via Computer Configuration\Windows Settings\Security Settings\File System

This allows us to give users only access to folders that specific apps need.

There is a little quark that we figured out with it. When you go to add a new file or folder and you simply type in: c:\Program Files\Application Dir

it will typically work. We had an issue in a couple places. So what we do now is from the machine you are editing the group policies from:
-in Windows Explorer go to c:\Program Files
-create a new folder with the same name that they need access to. (Ex: c:\Program Files\Mozilla Firefox)
-it DOES NOT MATTER if the application is even installed locally just create the c:\program files\app dir
-now in the in File System policy add a new directory and point it to your c:\Program Files\Mozilla Firefox directory.
-When you click OK it will prompt you will File/Folder security settings
-now the dir should be shown in the policy as: %ProgramFiles%\Mozilla Firefox
-by doing it this way it ensures that it uses the %programfiles% variable. If you were to just type in %programfiles% it would just resolve as c:\Program Files on your local machine.

It is an extra step but it works every time.

-Matt
 
Upvote 0 Downvote
mwiner

Thanks for the reply but can I the following problems.

On the 2000 server I have gone to
*************
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Go there and add Power Users, then place the users or the group of users in there as members.
*************

Q: Power Users are not there to select as they are not part of Windows 2000 Server Active Directory?

----------------------------

Computer Configuration\Windows Settings\Security Settings\File System

I have again tried to make changing and add file, but
all this seems to do is change the permissions on the folders on the server not on the workstations.

Any other suggestions?

Thanks for the help.

Steve







 
Upvote 0 Downvote
When you get to the Restricted Group section you should be able to right click and 'Add Group'. Type in Power Users or browse for Power Users. The Power Users group is not listed in AD but if you do a browse, at the top pull down menu select your local computer instead of your domain you should then find the Power Users group.

That should work.

-Matt
 
Upvote 0 Downvote
mwiner

Thanks very much for helping me with this.

I have tried to browse for "local computer" but this does not pop up on Win 2k Server, I only have the option of Entire Directory & Our Domain.

Any other suggestions?

Cheers,
Steve

 
Upvote 0 Downvote
are you editing the group policies on your domain controller or your desktop?
 
Upvote 0 Downvote
On your desktop from the windows 2000 CD or a network share, in the i386 directory there should be a file called adminpak.msi. Install that. I belive it can also be downloaded from Microsoft's Site.

This will allow you to access Active Directory Users and Computers from you local machine.

By doing this you should be able to see local computer.
 
Upvote 0 Downvote
mwiner

I downloaded Windows "Server 2003 Admin Tools Pack" as the 2000 one does not work on XP Workstations, and installed it OK. (Thanks for that, that will be a great help in the future)

But...

You are right, Power Users is now available but only for that machine, example COMPUTERNAME\Power Users.

Any other suggestions?

I'd understand if you are running out of solutions, I'm confused...

Thanks
Steve

 
Upvote 0 Downvote
ok... Well I would first off suggest that you attack this with the other method that I described above. To me it is not as drastic and will only open up what NEEDS to be opened. By adding the Power Users group then you are opening a lot more.

But in regards to the Power Users group, now that you have the AdminPak installed go to the Restricted groups section and right click to add a new group. Just type Power Users and click "ok". It should just work. It does for me... if this doesn't work then I would try the File System approach. I really think it is a much better way to handle it.

Let me know if it works or doesn't work.

-Matt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
372
microsGuy16
microsGuy16
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
397
mangentle
mangentle
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
165
penguinroundup
penguinroundup
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
778
gbaughma
gbaughma
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
297
DeepuM
DeepuM

Part and Inventory Search

Sponsor

Back
Top