How to deny access to local drives of network pcs on a 2000 domain

[nightowl]

I have 2 groups and corrsponding policies on a 2000 server. I want to deny the users access to the local drives on the network workstations so the users are forced to save stuff to their network drive. How do I do this? I have found the setting in the management console, but I cannot get it to apply to the workstations on the network.

 

[Techwhore]

You can set the NTFS permissions to "read and execute" for the local drive either locally or via the server with a GPO. GPO is the easiest way to go about this, especially if u have a lot of PCs or if u plan on getting more PCs.

 

[nightowl]

Do the local drives on the workstations have to be in NTFS? All of the computers that are connecting to the domain have FAT32 drives. Also, not all of the workstations are NT/2000 machines. How can I set up a GPO (Group Policy Object, right?)? I have group policies set up and orgazational units set up for the groups that I want to restrict access to the local drives.

 

[Shadow07]

Well, in order to use GPO, ALL workstations need to be Windows 2000 machines. Windows 9x/ME do not support GPO's. Even if you do install the ADCLient software on them.

What you will need to do is assign a System Policy. Windows 98 has some ADM templates that you can redirect the My Documents folder to a server share. But, you cannot "disable" them from saving to the local HD. In order to do this, you will have to train your users on where and when to save the files.

I know that this doesn't sound like a good idea, but it is the only way with Windows 9x/ME. NT/2000, you can set a GPO at either the Domain, Site, or OU level. Remember, if you set multiple GPO's at all of these levels, they will be processed in this order:

1. Site
2. Domain
3. Parent OU
4. Child OU

The GPO's will be over-written with sucessive GPO setting. Meaning, if at the Domain level, you have specified IPSEC policies for a certain setting, and then at a Child OU where the user account resides a different setting, the Child OU will apply. Use GPRESULT to test your GPO's in your deployment.

Let me know if you have any further questions.

 

[Techwhore]

<< you cannot &quot;disable&quot; them from saving to the local HD. In order to do this, you will have to train your users on where and when to save the files. >>


What u can do to solve this problem is run third party software. We run Fortress on our 98 workstations at work, it locks down just like NTFS. This will allow u to prohibit saving to the local disks.

 

[Shadow07]

Good to know. I ment to say that you cannot do this with the default settings within Windows 9x/ME. I had forgotten about Fortress.

 

[Woodie]

Don't forget...users will need &quot;write&quot; access to their temp directories...(\Documents and Settings\userid\Local Settings\Temp and also Temporary Internet Files, and \winnt\Temp, etc....)

--Woodie