Group Policy - Security Templates?


  • Evening all,

    I hope someone would be able to give me some advice on the best way of setting this group policy up for a production system.

    1. I have a group called 'Team Users' - this group is a global security group and the members of this group are in the companys HR department.

    2. We have just set some brand new servers up with Windows Servers 2012 R2 installed and the application has been installed correctly on to the D:. - We like to keep it so that the C: is strictly Operating System only.

    3. On the D: we have the following folder structure:

    - Install
    - Application
    - Program Files

    What I want to do is set it up so that this group 'Team Users' can log on to the server but only be able to modify anything in the Application folder. We don't want them to have any modify access to any other folders on the D:

    This team have a previous history of having access to the C: and dragging and dropping files / folders on to the C: in certain locations. I don't want this to happen again. What is the best way of stopping the users from doing this without stopping the drive from working or affecting the Application?

    Are there any Microsoft guides or recommendations in regards to giving end users access to log on to servers etc?

    Sunday, February 08, 2015 6:55 PM


  • this doesn't seem to be a GP specific question, in that you seem to want to restrict the user-level access to volumes/folders/files, either by access permissions or by quota ? (neither of which are really possible using GP)

    you might use GP to perform folder redirection, i.e. to redirect the users "my documents" etc away from storing on C:, and instead store them on D:, perhaps D:\userdata ?

    by default, user account would not be added into the Administrators group of the server, which will natively restrict those accounts from placing files into System folders.

    you would also take steps to ensure that these users are not granted nor would they inherit permissions to create folders/files on D:\ (except for the explicit folders you mentioned above.

    if you grant these users read/write/modify permissions to D:\Application, that won't stop those users from filling up D: with content in the D:\Application folder, so you might want to consider quotas.

    The FSRM feature might be useful to you for that.

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, February 08, 2015 8:04 PM