RE: client Local Drives permission

From: Jeff Qiu (jefffqiu@online.microsoft.com)
Date: 01/24/03 

From: jefffqiu@online.microsoft.com (Jeff Qiu)
Date: Fri, 24 Jan 2003 07:22:24 GMT

Hi Ahmed,

The task includes the following two parts:

1. Delete everyone group on partition C: from the security tab.
2. Deny the delete file/folder to a certain group.

We may apply this by add the following command line to the logon script.

;Remove the everyone group from C:\ and all its sub-folders
cacls C:\ /t /e /r everyone

About to deny the delete file/folder permission, I am not sure what kind of
domain user group you are trying to apply to. However, this will cause
everyone included in this group no write permission. The deny will apply
over any other NTFS permission. Please think it over before apply.

Anyway, you may add the following line to apply it:

cacls C:\ /t /e /p <groupname>:N

To get more information about the cacls, please try cacls /? at the
DOS-Prompt.

About how to add these lines to that group, you may refer to the following
article:
HOW TO: Automatically Run Programs When Users Log On to Windows 2000
http://support.microsoft.com/default.aspx?scid=KB;EN-US;321707

Regards,

Jeff Qiu
jefffqiu@online.microsoft.com
Online Support Professional
Microsoft Corporation

This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "Ahmed Fahmy" <ahmed_fahmy@ciranet.com>
>Sender: "Ahmed Fahmy" <ahmed_fahmy@ciranet.com>
>Subject: client Local Drives permission
>Date: Thu, 23 Jan 2003 02:09:31 -0800
>microsoft.public.win2000.security
>
>I have a w2k domain with 100+ w2K/XP pro clients.
>I want to set the security permissions on clients C:
>drive to remove everyone group and to deny delete
>folder's/files to domain users group.
>how can i deploy that without visiting every client.
>Thanks in Advance
>

Relevant Pages

  • Re: Unable to prevent OU deletion by Domain Admins?
    ... > that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... the list of permission entries in the DACL. ... I understand that domain admins have the delete and delete subtree rights at the domain level. ...
    (microsoft.public.win2000.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... >> that DENY ACLs trump any allow ACLs ... Deny permissions take precedence over allow ... > the list of permission entries in the DACL. ... > You could modify the default domain admins permissions so that they no ...
    (microsoft.public.win2000.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>>> It is even worse when Microsoft's own guidelines for parsing ACLs ... >>>> that DENY ACLs trump any allow ACLs ... >>> the list of permission entries in the DACL. ...
    (microsoft.public.win2000.active_directory)
  • Re: Joining Computers to Domain
    ... >>immediately indicate if you have a DENY somewhere. ... >>> is some permission that is blocking it. ... >>> Our problem is with student admins. ... >>> add computers to the domain. ...
    (microsoft.public.windows.group_policy)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... What isn't fine is making it appear as if an ACL can be set a certain ... Deny permissions take precedence over allow ... >> the list of permission entries in the DACL. ... >> You could modify the default domain admins permissions so that they no ...
    (microsoft.public.win2000.active_directory)