+ Post New Thread
Results 1 to 15 of 15
How do you do....it? Thread, Stop pupils writing to root of C:\ in Technical; Hello, all.. We have our systems formatted as NTFS (took us long enough!!). One of the things I've noticed is ...
  1. #1

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14

    Stop pupils writing to root of C:\

    Hello, all..

    We have our systems formatted as NTFS (took us long enough!!).

    One of the things I've noticed is that while pupils can't write to (say) C:\Program Files, or to existing folders in the root of C:\ they ARE able to create their own folder and then write to it.

    This is allowing the little bugg - erm - darlings to install portable versions of apps/games to C:\

    I'm assuming(!) that there's some easy way to fix this with NTFS and Subinacl, but for the life of me, I can't find it.

    Any chance some kind soul can help me out here?

    Regards,
    Gerard

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    I *think* you want to add this to your startup script:
    Code:
    cacls c:\ /e /g users:r administrators:f system:f
    but check it on one machine before you to do it to all of them!
    This will change the existing permissions on this folder only (you need /t if you want to change the tree) but if there are folders lower down which are inheriting from this folder then you could break them.

  3. #3

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14
    Quote Originally Posted by srochford View Post
    I *think* you want to add this to your startup script:
    Code:
    cacls c:\ /e /g users:r administrators:f system:f
    Hi..

    Sorry - that didn't seem to work (bah!)..

    I made the permissions change, but it doesn't seem to have worked.

    Looking at the permissions for C:\

    Under Advanced, Users and Everyone have "Create Folders/Append Data".

    So far, it seems Subinacl and/or cacls don't overwrite this - unless I'm missing a particular switch, of course?!?!

    Regards,
    Gerard

  4. #4

    Join Date
    Oct 2009
    Location
    The Netherlands
    Posts
    83
    Thank Post
    1
    Thanked 16 Times in 13 Posts
    Rep Power
    12
    Mostlikely there are more directories they can use, some even needed like the \Windows\Temp dir.

    Also check \Documents and Settings\All Users\Documents & \Documents and Settings\All Users\Application Data those maps also have user write permission on by default.

  5. #5

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14

    Thumbs up Solved

    Hello, all..

    In case anyone is ever faced with the same problem, I found the solution on SETACL's discussion forum.

    https://sourceforge.net/projects/set.../topic/2190447

    setacl -on "c:\\" -ot file -actn ace -ace "n:%COMPUTERNAME%\users; m:revoke; p:add_subdir; i:sc; w:dacl"

    setacl -on "c:\\" -ot file -actn ace -ace "n:%COMPUTERNAME%\users; m:revoke; p:add_file; i:sc,io; w:dacl"

    Regards,
    Gerard

  6. Thanks to gerardsweeney from:

    OutToLunch (31st March 2010)

  7. #6

    JJonas's Avatar
    Join Date
    Jan 2008
    Location
    North Walsham, Norfolk
    Posts
    3,083
    Thank Post
    382
    Thanked 429 Times in 318 Posts
    Rep Power
    383
    Shouldnt the owner of the rogue folder be the user that made the folder. Stick them in detention make sure students are aware this is happening.

    To find owner

    right click rogue folder select properties
    Click security tab
    Click advanced
    click owner

  8. #7
    storkyIV's Avatar
    Join Date
    Oct 2008
    Location
    Bristol
    Posts
    41
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Don't you hide "my computer"???

  9. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    We use the File System GPO here to set this.

    In a computer policy set the object name to %systemdrive%\ we then set the permissions below.

    These two radio buttons are set: 'Configure this file or folder then' and 'Propogate inheritable permissions to all subfolders and files'.

    SYSTEM: Full Control
    Administrators: Full Control
    Users: Read, List folder contents and Read and Execute (the basic read permissions)


    http://windowsitpro.com/article/arti...rmissions.html

    Read the Caution section in this link and remember to try on a test machine first.

    http://technet.microsoft.com/en-us/l...30(WS.10).aspx
    Last edited by cookie_monster; 21st January 2010 at 02:15 PM.

  10. Thanks to cookie_monster from:

    3s-gtech (8th April 2010)

  11. #9

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,831
    Thank Post
    581
    Thanked 2,162 Times in 987 Posts
    Blog Entries
    23
    Rep Power
    627
    Yup, group policies are your friend here. Does your school not use Active Directory?

  12. #10

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14
    JJonas - Yep, I'd been doing that before I found how to stop them.

    The Librarians/teachers didn't seem that bothered, so there was no - shall we say - incentive for the kids to not do that.

    storkyIV - Yes, My Computer has drives masked. However, installers of things like portable games will cheerfully let you install to C:\ by manually typing in the path, and then display a final dialog with "Launch gameyoujustinstalled" afterwards

    cookie_monster/Dos_Box - Yep, we use AD but I was under the impression that doing this can have a knock-on effect of overwriting other NTFS permissions already in place... Say, for example, we need them to write to C:\Windows\IniFileForAProgram.ini (kind of idea)

    Cheers,
    Gerard
    Last edited by gerardsweeney; 21st January 2010 at 02:17 PM. Reason: Reply to cookie_Monster/Dos_Box

  13. #11
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,463
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    Software restriction policy will stop this.

  14. #12

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    In your pupil GPO:
    User Config -> Administrative templates -> Windows Components -> Windows Explorer -> "Hide these specified drives in My Computer" & "Prevent access to these drives from My Computer"

    Also MS KB231289 to see how to adapt the policy to suit your own requirements. Works nicely for us.

  15. #13

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14
    Quote Originally Posted by timzim View Post
    In your pupil GPO:
    User Config -> Administrative templates -> Windows Components -> Windows Explorer -> "Hide these specified drives in My Computer" & "Prevent access to these drives from My Computer"
    Yes, we use that...

    However, the problem stems from our XP install method.. Or - at least it seems to

    From what I can gather: if you install XP from CD, and allow ITS installer to do the partitioning and formatting, then C:\ is marked as read only.

    The method we use to build a new PC is to deploy a blank NTFS partition, and then run the setup. This removes the stupidly long time it takes to format 300Gb

    However, it appears(!) that if you use this method, that XP's installer adds a Special Permissions bit to the drive, which lets them create a new file/folder in C:\

    They don't need to be able to SEE drive C: - the installer will quite happily let them type it in.

    I suspect the problem lies with the original NTFS image - we basically chucked a drive into a USB caddy, formatted it as NTFS, shoved it back into a desktop and imaged it. I'm guessing Windows added the Creator_owner bit at that stage.

    The write access doesn't carry down... For example, they can't write to C:\Windows or C:\Drivers, nor can Pupil1 write to a folder created by Pupil2 - but they can create C:\BLAHBLAH and install a non-registry-editing game to it.

    Hope all of that makes sense

  16. #14
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by gerardsweeney View Post
    JJonas - Yep, I'd been doing that before I found how to stop them.

    The Librarians/teachers didn't seem that bothered, so there was no - shall we say - incentive for the kids to not do that.

    storkyIV - Yes, My Computer has drives masked. However, installers of things like portable games will cheerfully let you install to C:\ by manually typing in the path, and then display a final dialog with "Launch gameyoujustinstalled" afterwards

    cookie_monster/Dos_Box - Yep, we use AD but I was under the impression that doing this can have a knock-on effect of overwriting other NTFS permissions already in place... Say, for example, we need them to write to C:\Windows\IniFileForAProgram.ini (kind of idea)

    Cheers,
    Gerard


    You can use the same GPO for setting permissions on other files and directories as well, we do this. Also the setting we use only sets those permissions on the root of C: as soon as you look in Program Files or Windows the permissions are default including Power Users and so on.

  17. #15

    Join Date
    Jun 2009
    Location
    East Renfrewshire
    Posts
    134
    Thank Post
    10
    Thanked 22 Times in 16 Posts
    Rep Power
    14
    Quote Originally Posted by cookie_monster View Post
    Also the setting we use only sets those permissions on the root of C:
    Cool - I'll need to have a word with our AD bod (I am but a humble desktop tech).

    Thanks for all of the replies, folks.

    Gerard

SHARE:
+ Post New Thread

Similar Threads

  1. Report Writing
    By TwoZeroAlpha in forum How do you do....it?
    Replies: 10
    Last Post: 9th June 2011, 09:25 AM
  2. Stop pupils emailing each other Exchange 2003
    By tazz in forum How do you do....it?
    Replies: 12
    Last Post: 18th November 2010, 03:08 PM
  3. Writing a Tender
    By joe90bass in forum Budgets and Expenditure
    Replies: 12
    Last Post: 19th February 2010, 03:10 PM
  4. Stop pupils hiding documents
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 19th November 2008, 09:53 PM
  5. Pupils puling out rj45 cable to stop scripts and policys
    By MManjra in forum Wireless Networks
    Replies: 13
    Last Post: 6th March 2006, 08:18 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •