locked
gpo to give read only permission for userprofile RRS feed

  • Question

  •  im trying to apply group policy  to prevent users from saving any data computer.I dont need to use folder redirection or mandatory profile.

    i used file system gpo  Computer Configuration/Windows Settings/Security Settings/File System .

    i added the file  c:\users\%username% and changed the permission  but its not working.

    please advice

    Thursday, March 22, 2012 7:50 AM

Answers


  • i used file system gpo  Computer Configuration/Windows Settings/Security Settings/File System .

    i added the file  c:\users\%username% and changed the permission  but its not working.


    That IS working, but not as you intend it to... File system security is a computer setting and thus, it is executed in SYSTEM context. The %userprofile% variable in SYSTEM context points to %windir%\system32\config\systemprofile, which is not what you are targeting.

    Shortly spoken: You cannot set ACLs on user profiles through GPO security settings.

    The only easy way out is indeed using folder redirection and redirect to read only shares (that works even for the desktop folder...).

    And you can NEVER prevent a user from writing to %userprofile% directly - this write access is required to successfully log on.

    sincerely, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Miya Yao Friday, March 23, 2012 5:44 AM
    • Marked as answer by Miya Yao Friday, March 30, 2012 5:07 AM
    Thursday, March 22, 2012 4:28 PM

  • why is the best solution in case I don’t need to use folder redirection. i planning to write script that will change the nfts permission on the profiles.

    You could possibly deny the user write access to lots of the profile folders, but you cannot (!) deny him write access to e.g. %temp% and %userprofile% directly. Windows absolutely needs SOME locations where it can write user data.

    sincerely, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Miya Yao Friday, March 30, 2012 5:07 AM
    Tuesday, March 27, 2012 5:43 AM

All replies


  • i used file system gpo  Computer Configuration/Windows Settings/Security Settings/File System .

    i added the file  c:\users\%username% and changed the permission  but its not working.


    That IS working, but not as you intend it to... File system security is a computer setting and thus, it is executed in SYSTEM context. The %userprofile% variable in SYSTEM context points to %windir%\system32\config\systemprofile, which is not what you are targeting.

    Shortly spoken: You cannot set ACLs on user profiles through GPO security settings.

    The only easy way out is indeed using folder redirection and redirect to read only shares (that works even for the desktop folder...).

    And you can NEVER prevent a user from writing to %userprofile% directly - this write access is required to successfully log on.

    sincerely, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Miya Yao Friday, March 23, 2012 5:44 AM
    • Marked as answer by Miya Yao Friday, March 30, 2012 5:07 AM
    Thursday, March 22, 2012 4:28 PM


  • Dear


    why is the best solution in case I don’t need to use folder redirection. i planning to write script that will change the nfts permission on the profiles.




    Saturday, March 24, 2012 10:32 AM

  • why is the best solution in case I don’t need to use folder redirection. i planning to write script that will change the nfts permission on the profiles.

    You could possibly deny the user write access to lots of the profile folders, but you cannot (!) deny him write access to e.g. %temp% and %userprofile% directly. Windows absolutely needs SOME locations where it can write user data.

    sincerely, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Miya Yao Friday, March 30, 2012 5:07 AM
    Tuesday, March 27, 2012 5:43 AM
  • Just wanted to add that there is an option via GP to prevent the end user from writing to the root of the user profile:

    User Configuration | Administrative Templates | Windows Components | File Explorer | Prevent users from adding files to the root of their Users Files folder.

    It should be noted that this ONLY prevents new files being written at the root.  An end user could still write files to subfolders.


    • Edited by Aakash Shah Wednesday, July 30, 2014 2:35 AM
    Wednesday, July 30, 2014 2:34 AM
  • Why does %ProgramFiles% (x86)\Google work but not %UserProfile%\Desktop?
    Tuesday, September 26, 2017 4:41 PM
  • > Why does %ProgramFiles% (x86)\Google work but not %UserProfile%\Desktop?
     Despite this thread being 5 years old: File system security is part of computer configuration - where should %userprofile% point to in system context?

    Wednesday, September 27, 2017 7:56 AM