On Mon, Mar 12, 2012 at 10:21 AM, Miller Bonnie L. <[email protected]> wrote: >> We have students who get "Full Control" of their folders. >> The users end up with Read, Write, Execute. > > We used to have that problem a lot too, then found this handy GPO: > \User Configuration\Administrative Templates\Windows Components\Windows > Explorer > Remove Security Tab > > Combined of course, with a whole ton of other policies including software > restriction policies, not running cmd/command, etc.
It seems to me that removing the permission to change the ACL is the "right" way to do it. Hiding the user interface leaves the capability there, just hard to get to. Then you face the challenge of blocking all other ways to get to that capability. The students can still do it, you're just intercepting the request. Removing permission to change the ACL denies it at the OS security kernel level, which should prevent it from happening at all. They can request it all they want; the OS just says "no". IMO, YMMV, etc., etc. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
