I agree that the ACLs would always be the first choice, and we tried. But, certain functions with folder redirection require full control to work correctly due to ownership issues, so I think it depends on everyone's environment and what is set up. A specific example is when an account first logs on and the desktop folder redirects to the home directory (we have them there for quota reasons), if the account doesn't have full control, the redirection doesn't happen and you end up with Desktop items in the roaming (or local) profile. We went through a lot of pain with this one.
To my knowledge we've not retested this with Win7 so I don't know for sure that it's still an issue, but I suspect it would be. I really don't think it's going to be any different as it's pretty much a folder redirection issue. http://technet.microsoft.com/en-us/library/cc781907%28v=ws.10%29.aspx And when I say a lot of policies are in place, I mean a LOT of policies are in place. There is only so much that can be done via technology and still have it work--security vs. usability. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Monday, March 12, 2012 8:41 AM To: NT System Admin Issues Subject: Re: (homedrive) On Mon, Mar 12, 2012 at 10:21 AM, Miller Bonnie L. <[email protected]> wrote: >> We have students who get "Full Control" of their folders. >> The users end up with Read, Write, Execute. > > We used to have that problem a lot too, then found this handy GPO: > \User Configuration\Administrative Templates\Windows > Components\Windows Explorer Remove Security Tab > > Combined of course, with a whole ton of other policies including software > restriction policies, not running cmd/command, etc. It seems to me that removing the permission to change the ACL is the "right" way to do it. Hiding the user interface leaves the capability there, just hard to get to. Then you face the challenge of blocking all other ways to get to that capability. The students can still do it, you're just intercepting the request. Removing permission to change the ACL denies it at the OS security kernel level, which should prevent it from happening at all. They can request it all they want; the OS just says "no". IMO, YMMV, etc., etc. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
