Depending on how the GPO is implemented you may be able to use item level targeting and not apply it to a specific group, etc.
-- There are 10 kinds of people in the world... those who understand binary and those who don't. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Friday, February 17, 2017 2:14 PM To: [email protected] Subject: Re: [NTSysADM] Some advice needed about allowing local C: drive access The GPO about hiding drives is for A,B,C only. We use Z: as a profile drive (folder redirected to network storage). We don't allow regular users access to the command prompt, either, so the Help Desk can't issue that command. On Fri, Feb 17, 2017 at 12:45 PM, Erik Goldoff <[email protected]> wrote: > use the SUBST command ? > > SUBST Z: c:\debug > > worth testing to see if you have access using Z: or does your GPO > quash this method ? > > On Fri, Feb 17, 2017 at 12:34 PM, Michael Leone <[email protected]> wrote: >> >> I know I've read about this procedure somewhere, but I'm not finding >> it at the moment. >> >> We have this application that writes out it's debug log to c:\debug. >> Now, we hide drive C; from domain users using GPO (User >> Configuration/Policies/Administrative Policies/Windows >> Components/File Explorer/Hide these specific drives ("Restrict A.B.C")). >> >> So what my help desk staff needs to do is to log onto these >> workstations (as a specific domain account), run the software, and >> need to be able to see, read (and optionally write to) this C:\Debug >> location, to identify/fix problems. >> (this is the "Check21" check processing software, if anyone else uses >> it) >> >> What I don't know is how best to do this. >> >> Oh, sure, I could create a whole new GPO, without that "Hide drives" >> setting, and limit it only to this one domain login. But is there a >> better, more efficient way to do this? I want C: drive hidden from >> the majority of my users, but do need certain logons that aren't >> limited this way. >> >> And I don't want the logon to be local admin, or have any access >> other than just standard domain user (or I could use a Restricted Group). >> >> Thoughts? Advice? >> (Win 2008 R2 domain) >> >> >
