+ Post New Thread
Results 1 to 3 of 3
Windows 7 Thread, Prevention of file creation, etc in Technical; Hello everyone - I'm new here but I think this is a place that could certainly help me. I work ...
  1. #1

    Join Date
    Mar 2013
    Location
    Oklahoma City
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Prevention of file creation, etc

    Hello everyone - I'm new here but I think this is a place that could certainly help me. I work for a public library system. We have several hundred public internet computers at multiple locations. Currently we use mandatory roaming profiles, that way if something gets hosed up, etc, a reboot fixes the profile. In the past I've followed some guidelines to prevent file creation on computers. One person recommended essentially making everything hidden in the root of C:, discouraging people from messing around with it. At the same time, this still allows people to create new folders. I also have another problem, which is programs installed under appdata (yes, like Chrome does). I'd really prefer for people not to do this either.

    Overall, I don't really want people putting stuff on the computers, we sell flash drives in case they don't have their own and they can put files on those. At the same time, I feel for people who maybe are working on a word doc and then want to email it, but save it first, which is why I've never completely locked down the machines. I would appreciate some suggestions on how to lock down the computers better without making them unusable for the customer. All of our public computers are Windows 7 64 bit.

  2. #2

    Join Date
    Mar 2013
    Location
    Sydney
    Posts
    35
    Thank Post
    0
    Thanked 4 Times in 3 Posts
    Rep Power
    7
    The libraries i am a member of just do Deepfreeze and have no other lockdowns usually, so youre not alone. Think ive only ever seen one in years that disabled access to the hard drive and user shell folders, and only allowed USB keys for storage.....

    I have a few PC's Win7 64bit set up in a common room at one of the places i volunteer, a retirement home. It allows semi lockdown (via GPO for the big stuff like hardware removal etc, but not hard drive access restrictions) access for those who have an account. In addition, i have a guest user account (not the inbuilt one, i might add) for guests or for users who dont yet have an account set up for them, and it uses a mandatory profile with a lot more GPO restrictions.

    The guest account doesnt allow:

    * changing of settings - due to mandatory profile
    * access to the C: drive - via GPO
    * creation of folders/files in the guest users root profile folder (i.e. c:\users\hhguest\) - via GPO
    * Saving or creation of files and folders to the user shell folders (Desktop/Downloads/Music/Pictures/Videos)

    So these are the GPO's i used:

    Do you administer the PC's via AD? or locally (on the actual PC)?

    If locally, like i do with these machines, i do the following, if you do it via AD, adjust accordingly for a user group:

    1) Run MMC

    2) From the file menu, click Add/Remove Snap In

    3) On the left, click on Group Policy Object and then click Add

    4) On the Group Policy Wizard that appears, assuming you dont want to apply this to all users of the computer (and you dont), click Browse

    5) On the next screen select the Users tab

    6) Select the username of the account youre wanting to restrict

    7) Click OK and then Finish and then OK

    8) You will now be back in the MMC console with Local Computer\Username You Selected Policy under Console Root

    9) Expand the Local Computer\Username tree

    10) Expand User Configuration

    11) Expand Administrative Templates

    12) Click on Windows Explorer

    13) Set the following:

    Hide These Specified Drives In My Computer
    Set to Enabled and from the drop down list below select: C Drive Only

    Prevent Access To Drives From My Computer
    Set to Enabled and from the drop down list below select: C Drive Only

    Prevent User Adding Files To The Root Of Their Users Files Folder
    Set to Enabled

    Leave MMC open for the next part....

    That does the job of hiding C: and they wont be able to create folders or files in their profile root folder, which works in with the next part, the logon/logoff scripts

    Logon/Logoff Scripts:

    Download the Logon Logoff scripts and Xcacls: Attachment 17469

    Note: The cmd files use environment variables, not hard coded usernames, so they will work for any user where they are set as logon/logoff scripts via GPO (i.e. you dont have to edit them)

    1) Extract the files to an easy to browse to location

    I have included a cut down version of the warning message the guest users get on our machines at logon, feel free to edit. You can run it by a simple double click to test it, and edit it in notepad/wordpad. Its a simple thing to edit

    2) Back in MMC, go to Windows Settings (above Administrative Templates)

    3) Expand Windows Settings

    4) Click on Scripts (Logon/Logoff)

    5) Double click on Logon

    6) On the Logon Properties window that appears, click on Show files at bottom left (this will take you to the correct SID for that user and to their script folder)

    7) Copy setreadonly.cmd (from the zip) to the Logon folder. Also copy guestwarning.vbs to the logon folder if you want to include the warning message at logon.

    8) Copy removereadonly.cmd (from the zip) to the Logon folder

    9) Close the explorer window

    10) Still on the Logon Properties window (or double click on Logon to bring it back), click Add and browse to and select Logon\setreadonly.cmd. click OK

    The included guestwarning.vbs script also belongs in the logon script window, repeat the Add, browse action to add the guestwarning.vbs script if you wish to use it

    You should now, if you selected the guestwarning.vbs script has 2 scripts showing

    11) Click Ok

    12) Double click on Logoff , click Add and browse to and select Logon\removereadonly.cmd. click OK

    13) Click OK

    14) Close MMC, and when prompted to save changes, i suggest you save it with an obvious name (i.e. guest user group policy) on your desktop, should you need to edit it later.

    15) Copy the xcacls.exe form the zip to c:\windows\system32

    I used xcacls.eexe as it was the closeset acl changing tool i had to hand. The scripts are i believe transferable/compatible with icacls etc.

    Thats it

    C: will be hidden, and they wont be able to create folders or files in their profile root folder, or save files to their user shell folders (Desktop/Documents/Music/Pictures/Video) as these are set read-only at logon. At least on a local mandatory profile, the read-only shell folders need to be reset to writeable at logoff (hence the removereadonly.cmd script at logoff) otherwise the next logon into the mandatory profile fails. I do not know whether this applies to a roaming mandatory profile, but i will assume so, so have left it in the above instructions.

    Logon to the account and test

    This should, i think, cover most, if not all, your requirements

    They will have no choice but to use a USB key

    As for Chrome, never installed that personal data stealing tool, but i did find this for you:

    http://social.technet.microsoft.com/...0-d2604a59c9bd

    Its again a GPO fix, it references a domain GPO, but the GPO paths are transferable to a local GPO so can be found in the mmc console i referred to in my local mmc steps above if you are using non-AD GPOs.

    Any questions, let me know.



    I use a local mandatory profile, which requires a bit of fooling around to set up, and this is only for info on my particular setup:

    Create user account (i.e) hhguest
    Login to hhguest
    Logout of hhguest
    Create new folder under c:\users\..i.e. c:\users\mandguest.v2
    Copy default profile to c:\users\mandguest.v2
    Set guest profile path to c:\users\mandguest (minus the .v2)
    Login to guest (now redirected to c:\users\mandguest.v2)
    Logout of guest
    Login to guest (now redirected to c:\users\mandguest.v2)
    customise apps, links etc
    Logout of guest
    Login to admin account
    Go into c:\users\manguest\user.dat to user.man

    So at this point the mandatory profile is set up.

    Any changes are lost in the c:\users\manduser.v2 profile folder as expected, but as a side effect, i assume because of the local nature of the profile, Windows still remembers the link to c:\users\hhguest, so the changes (i noticed downloads and desktop new text documents from my testing of the mandatory profile) end up in the c:\users\hhguest folders (i.e. c:\users\hhguest\desktop and c:\users\hhguest\downloads)

    So even though the profile resets, if people download or create documents and they are not visible to the next guest user, they will build up over time in c:\users\hhguest, so i make the user shell folders (Desktop/Downloads/Pictures/Music/Videos) in c:\users\hhguest read only via a log on script with xcacls, and then writeable again at log off via a log off script - needs to be reset as otherwise the next login will find the mandatory profile locked and unable to load End result, nothing is saved....
    Last edited by stylemessiah; 7th March 2013 at 03:36 PM.

  3. Thanks to stylemessiah from:

    xenonive (7th March 2013)

  4. #3

    Join Date
    Mar 2013
    Location
    Oklahoma City
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Okay - first of all, holy cow, your post is quite overwhelming.

    Now that is out of the way, I appreciate your input. I don not think my intent is to completely keep users from accessing the drive. As I said, some people may only need a temporary save point, I just would prefer it be more difficult to put junk all over the drive. I think the hiding and preventing access options in GPO are the way I need to go. I think I was always afraid in the past that would cause problems.

    As far as the "Prevent User Adding Files To The Root Of Their Users Files Folder", I'm not really sure I understand what that does for me. The description in GPO seems to contradict itself.

    I will say that while people should be able to write to Documents, I don't want them writing to the desktop, really, and that would be something nice to block.

SHARE:
+ Post New Thread

Similar Threads

  1. Auditing file creation & deletion
    By SpuffMonkey in forum Windows
    Replies: 7
    Last Post: 28th November 2012, 02:19 AM
  2. Rename a batch of files all at once.
    By Kyle in forum How do you do....it?
    Replies: 10
    Last Post: 19th November 2009, 06:31 AM
  3. Replies: 6
    Last Post: 10th October 2007, 10:13 AM
  4. Mass Copy of Files and Folders
    By originofsymmetry in forum Scripts
    Replies: 6
    Last Post: 2nd October 2007, 12:16 PM
  5. Replies: 4
    Last Post: 15th November 2006, 03:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •