How do you do....it? Thread, Stop pupils writing to root of C:\ in Technical; Hello, all..
We have our systems formatted as NTFS (took us long enough!!).
One of the things I've noticed is ...
3rd December 2009, 10:00 AM #1
Stop pupils writing to root of C:\
We have our systems formatted as NTFS (took us long enough!!).
One of the things I've noticed is that while pupils can't write to (say) C:\Program Files, or to existing folders in the root of C:\ they ARE able to create their own folder and then write to it.
This is allowing the little bugg - erm - darlings to install portable versions of apps/games to C:\
I'm assuming(!) that there's some easy way to fix this with NTFS and Subinacl, but for the life of me, I can't find it.
Any chance some kind soul can help me out here?
3rd December 2009, 10:37 AM #2
I *think* you want to add this to your startup script:
but check it on one machine before you to do it to all of them!
cacls c:\ /e /g users:r administrators:f system:f
This will change the existing permissions on this folder only (you need /t if you want to change the tree) but if there are folders lower down which are inheriting from this folder then you could break them.
3rd December 2009, 11:06 AM #3
Originally Posted by srochford
Sorry - that didn't seem to work (bah!)..
I made the permissions change, but it doesn't seem to have worked.
Looking at the permissions for C:\
Under Advanced, Users and Everyone have "Create Folders/Append Data".
So far, it seems Subinacl and/or cacls don't overwrite this - unless I'm missing a particular switch, of course?!?!
3rd December 2009, 11:10 AM #4
- Rep Power
Mostlikely there are more directories they can use, some even needed like the \Windows\Temp dir.
Also check \Documents and Settings\All Users\Documents & \Documents and Settings\All Users\Application Data those maps also have user write permission on by default.
21st January 2010, 02:56 PM #5
In case anyone is ever faced with the same problem, I found the solution on SETACL's discussion forum.
setacl -on "c:\\" -ot file -actn ace -ace "n:%COMPUTERNAME%\users; m:revoke; p:add_subdir; i:sc; w:dacl"
setacl -on "c:\\" -ot file -actn ace -ace "n:%COMPUTERNAME%\users; m:revoke; p:add_file; i:sc,io; w:dacl"
Thanks to gerardsweeney from:
OutToLunch (31st March 2010)
21st January 2010, 03:01 PM #6
Shouldnt the owner of the rogue folder be the user that made the folder. Stick them in detention make sure students are aware this is happening.
To find owner
right click rogue folder select properties
Click security tab
21st January 2010, 03:01 PM #7
Don't you hide "my computer"???
21st January 2010, 03:08 PM #8
We use the File System GPO here to set this.
In a computer policy set the object name to %systemdrive%\ we then set the permissions below.
These two radio buttons are set: 'Configure this file or folder then' and 'Propogate inheritable permissions to all subfolders and files'.
SYSTEM: Full Control
Administrators: Full Control
Users: Read, List folder contents and Read and Execute (the basic read permissions)
Read the Caution section in this link and remember to try on a test machine first.
Last edited by cookie_monster; 21st January 2010 at 03:15 PM.
Thanks to cookie_monster from:
3s-gtech (8th April 2010)
21st January 2010, 03:13 PM #9
Yup, group policies are your friend here. Does your school not use Active Directory?
21st January 2010, 03:13 PM #10
JJonas - Yep, I'd been doing that before I found how to stop them.
The Librarians/teachers didn't seem that bothered, so there was no - shall we say - incentive for the kids to not do that.
storkyIV - Yes, My Computer has drives masked. However, installers of things like portable games will cheerfully let you install to C:\ by manually typing in the path, and then display a final dialog with "Launch gameyoujustinstalled" afterwards
cookie_monster/Dos_Box - Yep, we use AD but I was under the impression that doing this can have a knock-on effect of overwriting other NTFS permissions already in place... Say, for example, we need them to write to C:\Windows\IniFileForAProgram.ini (kind of idea)
Last edited by gerardsweeney; 21st January 2010 at 03:17 PM.
Reason: Reply to cookie_Monster/Dos_Box
21st January 2010, 03:23 PM #11
Software restriction policy will stop this.
21st January 2010, 03:27 PM #12
In your pupil GPO:
User Config -> Administrative templates -> Windows Components -> Windows Explorer -> "Hide these specified drives in My Computer" & "Prevent access to these drives from My Computer"
Also MS KB231289 to see how to adapt the policy to suit your own requirements. Works nicely for us.
21st January 2010, 04:01 PM #13
Yes, we use that...
Originally Posted by timzim
However, the problem stems from our XP install method.. Or - at least it seems to
From what I can gather: if you install XP from CD, and allow ITS installer to do the partitioning and formatting, then C:\ is marked as read only.
The method we use to build a new PC is to deploy a blank NTFS partition, and then run the setup. This removes the stupidly long time it takes to format 300Gb
However, it appears(!) that if you use this method, that XP's installer adds a Special Permissions bit to the drive, which lets them create a new file/folder in C:\
They don't need to be able to SEE drive C: - the installer will quite happily let them type it in.
I suspect the problem lies with the original NTFS image - we basically chucked a drive into a USB caddy, formatted it as NTFS, shoved it back into a desktop and imaged it. I'm guessing Windows added the Creator_owner bit at that stage.
The write access doesn't carry down... For example, they can't write to C:\Windows or C:\Drivers, nor can Pupil1 write to a folder created by Pupil2 - but they can create C:\BLAHBLAH and install a non-registry-editing game to it.
Hope all of that makes sense
21st January 2010, 04:20 PM #14
Originally Posted by gerardsweeney
You can use the same GPO for setting permissions on other files and directories as well, we do this. Also the setting we use only sets those permissions on the root of C: as soon as you look in Program Files or Windows the permissions are default including Power Users and so on.
21st January 2010, 04:48 PM #15
Cool - I'll need to have a word with our AD bod (I am but a humble desktop tech).
Originally Posted by cookie_monster
Thanks for all of the replies, folks.
By TwoZeroAlpha in forum How do you do....it?
Last Post: 9th June 2011, 10:25 AM
By tazz in forum How do you do....it?
Last Post: 18th November 2010, 04:08 PM
By joe90bass in forum Budgets and Expenditure
Last Post: 19th February 2010, 04:10 PM
By timbo343 in forum Windows
Last Post: 19th November 2008, 10:53 PM
By MManjra in forum Wireless Networks
Last Post: 6th March 2006, 09:18 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread