none
how to restrict user not to download files on C drive

    Question

  • hi i am bhaskar... i have one doubt that how can i restrict users using domain controller group policy or in any another way..i want every user to restrict not to use C drive..if they download anything on c drive then it should show them error message..i want them to download files to D or E drive..can any one tell me the solution and the procedure for this ? i have windows server 2008 R2 in one pc.. i want to make it as domain controller and other pc they have windows xp..so i will join every pc in domain then i want to restrict them not to use c drive..please help me
    Bhaskar
    Wednesday, July 13, 2011 6:52 AM

All replies

  • Hi,

    Please refer to the following:

    Setting Up Disk Quotas with Group Policy
    http://www.windowsnetworking.com/kbase/windowstips/windows2003/admintips/activedirectory/SettingUpDiskQuotaswithGroupPolicy.html
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 13, 2011 7:18 AM
  • hi brent i did not found anything there...i want to restrict every user except administrator not to download files on c drive..using any method...from domain controller
    Bhaskar
    Wednesday, July 13, 2011 9:35 AM
  • Hello

    So in your AD Enviroment I presume your Admin User Accounts are in a different OU to the normal User Accounts....if not then they will need to be (to meet your requirements)

    In the OU for the normal Users have a GPO that has the following setting - User Config > Admi Templates > Windows Components > Windows Explorer and the GPO Setting "Prevent access to drives from My Computer" This can be set to "Restrict C drive only"

    This will stop files being saved to the C drive, but will also mean that C is not accessible through Explorer. Depending on the Restrictions you wish to have I would recommend "Hide these specified drives in My Computer" also set to C drive.

    I have presumed from your first post that D and E drives are the areas you wish your users to save information to rather than C


    Lee Bowman MCITP MCTS
    Wednesday, July 13, 2011 11:37 AM
  • hi lee..that GPO is automatically created or i have to create it now manually? i have one pc running on windows server 2008 R2 64-bit and other pc's running on windows xp..so now i want to restrict every user in every windows xp pc not to save files to c drive..if they want to just access c drive then its ok but i want to restrict them to download on c drive that is my target..can you help with any article ? how to create that GPO and the whole procedure ?

    Bhaskar
    Wednesday, July 13, 2011 12:06 PM
  • Hi Bhaskar,

    You can refer to Lee's suggestion, performing the following steps to restrict users from downloading to local C drive.

    1. Open Group Policy Management Console by clicking Start, clicking Run, typing gpmc.msc, and then clicking OK.
    2. Right-click the OU where the user objects located and click Create a GPO in this domain, and link it here... item.
    3. Right-click the GPO, and then click Edit.
    4. In the Group Policy Object Editor console, edit/enable the settings in the User configuration\Policies\Administrative Templates\Windows Components\Windows Explorer|Prevent access to drives from My Computer and Hide these specified drives in My Computer, pick "Restrict C drive only" option.

    Brent


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by anthinK Monday, October 01, 2012 9:31 AM
    Tuesday, July 19, 2011 4:35 AM
  • thankyou soo much.. i will try it and then reply you the result..
    Bhaskar
    Tuesday, July 19, 2011 6:27 AM
  • Hi Bhaskar,

    Any update?
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 22, 2011 4:14 AM
  • hi i have domain controller with windows server 2008 R2 standard edition 64-bit and same OS in another system and just did what ever you said above..but i am able to open c drive and can access that drive.i created organization unit and crated one user in it and applied the GPO as u said to that Organization unit.but the user in that OU is able to access c drive.i used windows server 2008 R2 not XP so what should i do now ?
    Bhaskar
    Friday, July 22, 2011 6:57 AM
  • Hi Bhaskar,

    >i used windows server 2008 R2 not XP so what should i do now ?

    No matter what computers you log on, the group policies should be applied. You have to make sure that the GPO is being linked to OU where user objects located. Please post an output of gpresult /v from affected computer.

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 22, 2011 7:17 AM
  • hi how to save that gpresult file in a text ? we can save that file while executing the command but i forgotten the command so can you tell me so that i can post that result here
    Bhaskar
    Thursday, July 28, 2011 10:11 AM

  • Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 7/28/2011 at 4:27:05 PM


    RSOP data for XENAPP\Administrator on DC : Logging Mode
    --------------------------------------------------------

    OS Configuration:            Primary Domain Controller
    OS Version:                  6.1.7600
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Administrator
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC,OU=Domain Controllers,DC=xenapp,DC=com
        Last time Group Policy was applied: 7/28/2011 at 4:23:08 PM
        Group Policy was applied from:      DC.xenapp.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        XENAPP
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Controllers Policy
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            BUILTIN\Pre-Windows 2000 Compatible Access
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Denied RODC Password Replication Group
            System Mandatory Level
            
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaxRenewAge
                    Computer Setting:  7

                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  42

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            MaxServiceAge
                    Computer Setting:  600

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            MaxClockSkew
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxTicketAge
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  24

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  7

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                GPO: Default Domain Controllers Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  Authenticated Users
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            ChangeNotifyPrivilege
                    Computer Setting:  XENAPP\SQLServer2005MSSQLUser$DC$SQLEXPRESS
                                       Everyone
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       Authenticated Users
                                       Pre-Windows 2000 Compatible Access
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseBasePriorityPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            RestorePrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            DebugPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            SystemTimePrivilege
                    Computer Setting:  LOCAL SERVICE
                                       Administrators
                                       Server Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            SecurityPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       Print Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            AuditPrivilege
                    Computer Setting:  Classic .NET AppPool
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       DefaultAppPool
                                       CitrixWebInterface5.3.0AppPool
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Account Operators
                                       Server Operators
                                       Print Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePagefilePrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            BatchLogonRight
                    Computer Setting:  XENAPP\SQLServer2005MSSQLUser$DC$SQLEXPRESS
                                       Administrators
                                       Backup Operators
                                       Performance Log Users
                                       IIS_IUSRS
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  Everyone
                                       Administrators
                                       Authenticated Users
                                       ENTERPRISE DOMAIN CONTROLLERS
                                       Pre-Windows 2000 Compatible Access
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            SystemProfilePrivilege
                    Computer Setting:  Administrators
                                       WdiServiceHost
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  Administrators
                                       Server Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            BackupPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            EnableDelegationPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            UndockPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            SystemEnvironmentPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            LoadDriverPrivilege
                    Computer Setting:  Administrators
                                       Print Operators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseQuotaPrivilege
                    Computer Setting:  Classic .NET AppPool
                                       XENAPP\SQLServer2005MSSQLUser$DC$SQLEXPRESS
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       DefaultAppPool
                                       CitrixWebInterface5.3.0AppPool
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            ProfileSingleProcessPrivilege
                    Computer Setting:  Administrators
                                       
                GPO: Default Domain Controllers Policy
                    Policy:            AssignPrimaryTokenPrivilege
                    Computer Setting:  CitrixWebInterface5.3.0AppPool
                                       Classic .NET AppPool
                                       XENAPP\SQLServer2005MSSQLUser$DC$SQLEXPRESS
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       DefaultAppPool
                                       
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            LSAAnonymousNameLookup
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            TicketValidateClient
                    Computer Setting:  Enabled

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59013
                    ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59058
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  1

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A


    USER SETTINGS
    --------------
        CN=Administrator,CN=Users,DC=xenapp,DC=com
        Last time Group Policy was applied: 7/28/2011 at 3:47:47 PM
        Group Policy was applied from:      DC.xenapp.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        XENAPP
        Domain Type:                        Windows 2000
        
        Applied Group Policy Objects
        -----------------------------
            N/A

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            BUILTIN\Pre-Windows 2000 Compatible Access
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Admins
            Group Policy Creator Owners
            Schema Admins
            Enterprise Admins
            Denied RODC Password Replication Group
            High Mandatory Level
            
        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Shut down the system
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Remove computer from docking station
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Change the time zone
            Create symbolic links
            Enable computer and user accounts to be trusted for delegation
            Increase a process working set
            Add workstations to domain

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A


    hi i pasted the result please check it
    Bhaskar
    Thursday, July 28, 2011 10:59 AM
  • Hi Bhaskar

    You can change your download directory by small registry change...

    Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer then Check whether there is a Sting Value called "Download Directory" or not. If yes simply right click and edit the Path. If this value does not exists Create a sting value and Change the path as u want..If you want to apply for all users then Use Group policy preferences and edit Registry items...Point the path and update values.

    Note : If you restrict users to Access system drives as Lee, your users will get Errors (randomly) while saving Microsoft Office Documents... Better you hide the C Drive from Group Policies under Users > Admin temp > Windows Component > Hide these specified drives from My computer.

    Let me know if works.. Good luck

     

     


    Regards Suman B. Singh
    Friday, July 29, 2011 1:11 PM
  • Hi Bhaskar,

    According to the output of gpresult, the GPO is not being applied, can you check if the GPO is being linked to OU where user objects located.


    USER SETTINGS
    --------------
        CN=Administrator,CN=Users,DC=xenapp,DC=com
        Last time Group Policy was applied: 7/28/2011 at 3:47:47 PM
        Group Policy was applied from:      DC.xenapp.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        XENAPP
        Domain Type:                        Windows 2000
        
        Applied Group Policy Objects
        -----------------------------
            N/A




    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 01, 2011 2:35 AM
  • Any update?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 03, 2011 2:09 AM
  • hi thank you i will do i later..now a days i am little busy with other work..i am working on xenapp application..you guys know it i think

    Bhaskar
    Friday, August 12, 2011 7:27 PM
  • hi sorry for late..i will do it later and reply to you..as i am busy with xenapp application practicals i am unable to do this GPO.next week i will do it and i will reply you..

    Bhaskar
    Friday, August 12, 2011 7:30 PM
  • hi can u clearly tell me how to put default download directory ? in that registry key i am seeing download and two keys.. one is default and type is REG_SZ and it is showing that value data empty and second one is CheckExeSignatures type REG_SZ and value date is yes..what should i do now ? i want to put default download directory to 'D' drive.as he said i am able to restrict users to not to access c drive but when i tested i am unable to download in another drive also.its saying you dont have administrator permissions..they can able to download on desktop but not in other drives..what should i do ?
    Bhaskar
    Tuesday, August 16, 2011 1:06 PM
  • hi can u clearly tell me how to put default download directory ? in that registry key i am seeing download and two keys.. one is default and type is REG_SZ and it is showing that value data empty and second one is CheckExeSignatures type REG_SZ and value date is yes..what should i do now ? i want to put default download directory to 'D' drive.as you said i am able to restrict users to not to access c drive but when i tested i am unable to download in another drive also.its saying you dont have administrator permissions..they can able to download on desktop but not in other drives..what should i do ?
    Bhaskar
    Tuesday, August 16, 2011 1:08 PM
  • Hi

    Point to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer. If there is not SUCH entry called "Download Directory" then create a entry REZ_SZ and define the path like D:\Downloads. Make sure u created folder called downloads. BELOW IS THE REFERENCE PICTURE

     


    Regards Suman B. Singh
    Tuesday, August 16, 2011 1:33 PM
  • Hi Bhaasu

    Any positive sign?


    Regards Suman B. Singh
    Friday, August 19, 2011 1:33 PM
  • hi in that registry i am seeing download key and in that i am seeing default and other string values..i have to create that string key under internet explorer or download ?
    Bhaskar
    Monday, August 22, 2011 8:05 AM
  • i have to create that downloads folder in every user machine ? i created that folder in one user machine..i created OU and user in it..i applied group policy to that user..i logged in as that user and i surfed internet and downloaded and while downloading it is showing to download on desktop.i mean it is asking where to download..after clicking it should automatically download in d:\downloads but it is asking where to save the file or run the file..after clicking download then it should automatically download in that d:\downloads folder.how to do this ? can you guide me please ?


    Bhaskar
    Monday, August 22, 2011 9:26 AM
  • when it asked me save or run then i clicked save and if i select 'D' Drive then it is showing error that user dont have permission but if i select any folder in 'D' Drive then it wont show that error..because that user dont have permission i think so i have to allow that user to access 'D' Drive throug GPO how can i do this ?

    Bhaskar
    Monday, August 22, 2011 9:28 AM
  • Hi Bhaasu

    Have u restricted your users to access D-Drive? IF your users are restricted to access D drive, will get error. Go to User Configu-Admin temp-Windows component-windows explorer- then select Hide these specified drives to HIDE and Use Prevent Access to Drive from My Computer


    Regards Suman B. Singh
    Tuesday, August 23, 2011 2:23 PM
  • hi suman,

     

    i did not restricted users to access D drive..they can access D drive but they are unable to download files in D drive but they can download filed in a folder located in D drive..


    Bhaskar
    Wednesday, August 24, 2011 4:16 AM