Re: Allow ONLY "Administrator" and "System" groups full control to

Couldn't of explained it any better Roger.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
What is wrong with it is that plain (non-admin) user accounts need access
to a number of areas in order to function at all, or ever to log in.
This includes account that you might want for services, for IIS app pools
or IUsr\IWam user, etc.
All account must be able to access quite a few files in the \Window dir
structure and all will want a profile in Documents and Settings.
Depending on what is done once logged in they will attempt to access
files in Program Files, either for the specific applications or for shared
data, etc.
W2k3 has a fairly reasonable out-of-the-box set of ACLs on the boot
drive. There is some room for tightening when done in the light of the
specific purpose of the server, but for the most part you are better off
leaving the directories under C: that set new permissions inheritance
point alone. Changing C: itself without impacting the distinctly ACLed
subdirectories is relatively safe, as it mostly just limits creation of
files and folders at the root level (i.e. Admins full and Users List for
"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hi Allen,
Thanks for your input. :-)

Forgive me; I'm not trying to sound flippant. What's wrong with doing
When you say "it's not a godd idea"...why not? Do you think I will
some form of difficulties?

I'm, of course, just "thinking out loud", but I can't see why anyone
than these two groups would need ANY access (even read permissions) to
default directories and their subdirectories.


"AllenM" wrote:

Well you will accomplish what you're trying to do and that is it will be
secured. However no one will be able to use it other than the
Not a good idea. Leave the root permissions alone and apply your NTFS
permissions at the folder level.

"Ed Flecko" <EdFlecko@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hi folks,
I'm setting up a new Server 2003-R2 server. I have added the
and System groups full control of the C:\ drive, and removed everyone
else. I
see, by default, the C:\ drive has a few other directories and
subdirectories, i.e., "Windows", "Program Files", etc.

Since I'm setting this server up from scratch, in an effort to be as
as possible, is there's anything wrong with selecting the little check
"Replace permission entries on all child objects with entries shown
apply to child objects." I know this will reset all pemissions from
of C:\ down through all directories, I'm just wondering if I can
headaches or if this might be smart to do? I think it sounds like a

Comments? Suggestions?

Thank you,