locked
Windows Steady State Best Practice RRS feed

  • Question

  • What is the suggested best practice to allow users to save to their documents and desktop, while preventing them from accessing anything else on the C drive?  Seperate partion is out due to WDP not protecting anything other than system drive.  I am migrating from Shared Computer Toolkit and seemed to have a lot better luck with that product.  My users couldn't save to the desktop/documents from Office but at least they could from IE in order to burn files, etc..  Am I completely missing something trivial in the configuration?

    TIA,
    Jack

    Wednesday, May 28, 2008 8:39 PM

Answers

  •  

    Yes, we can add an entry in registry to achieve this:

     

    1.       Launch regedit.

    2.       Navigate to the path: 

     

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

     

    3.       Create a new DWORD value.

    4.       Name it as NoDrives.

    5.       Modify the value as 4.

    6.       Restart the computer and C:\ will be hidden from My Computer.

    Wednesday, June 4, 2008 9:13 AM

All replies

  •  

    I consider this could be illogicality. Do you mean the users should be able to save documents and desktop on driver C meanwhile they are not able to access drive C? For such scenario, I think saving documents on another partition should be more reasonable.

    Monday, June 2, 2008 7:26 AM
  • Currently I have the user directory on a seperate partition, but I'm losing the disk protection with this method.  Ideally, I'd like to use only C, but keep users from accessing anything but C:\docs & settings\<user>\

    I have something like that now with the Shared Computer Toolkit, the only drawback is that users can't save files from office to desktop/docs, only Internet Explorer will let them save to those locations.
    Monday, June 2, 2008 1:13 PM
  •  

    Hi Jack, I suggest you check the following thread and see if this is helpful:

     

    Office XP unable to save file to My Documents or Desktop

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2817559&SiteID=17

    Tuesday, June 3, 2008 7:01 AM
  • The office problem was related to Shared Computer Toolkit.

    I guess what I really need to know is.. Can I hide the system drive but still allow users to save files to their user docs and desktop directory on the system drive.  I do not want to move the user's profile to another partition because it will no longer have windows disk protection.  I know that with WDP on, my users cant hurt files on the system drive, but I'd like to hide them from view anyways.
    Tuesday, June 3, 2008 1:48 PM
  •  

    Yes, we can add an entry in registry to achieve this:

     

    1.       Launch regedit.

    2.       Navigate to the path: 

     

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

     

    3.       Create a new DWORD value.

    4.       Name it as NoDrives.

    5.       Modify the value as 4.

    6.       Restart the computer and C:\ will be hidden from My Computer.

    Wednesday, June 4, 2008 9:13 AM
  • Thanks, I will give this a try later this afternoon.  How does this method vary from the hide drive option when editing a user in the Steady State tool?
    Wednesday, June 4, 2008 12:58 PM
  • That didn't do what I was looking for.  It removed the drive from my computer but i could still access it using C: in the address bar?
    Thursday, June 5, 2008 12:53 PM
  •  

    Hi Jack, this seems to me the way to "hide" system drive and still allow users save documents on the drive. As SteadyState cannot fully fulfill your requirement, I suggest you post the issue to system newsgroup and check if there is any workaround:

     

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsxp.general

    Friday, June 6, 2008 2:56 AM
  •  

    You don't need to hide the other drive.  Just use NTFS file permissions to only allow the user to write files to their folder.

     

    For example, a logon script would create a folder named the same as their username if one didn't already exist, and then set permissions on that folder so that only that user could read and write those files.

     

    Doing this you can still lock down the system drive as much as you want.

    Sunday, June 15, 2008 10:04 PM