Re: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread D R 
Can you still mount a directory?

I would create a folder on the server, somewhere, then mount that to a
directory on the workstation. Then when the application writes to
c:\whatever it is actually writing to a shared folder on the server. Setup
up that folder so that it has a subfolder with either the hostname of the
workstation as a subfolder, or the username as the folder name, and when
you need access to it, you can just go to the server and get the info,
instead of trying to access the workstation.

My .02 cents worth.

On Fri, Feb 17, 2017 at 1:15 PM, Webster  wrote:

> Or \\ip.ad.dr.ress\c$ that bypasses drive letter blocking.
>
> Thanks
>
>
> Carl Webster
> Citrix Technology Professional
> http://www.CarlWebster.com
> The Accidental Citrix Admin
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of James Rankin
> Sent: Friday, February 17, 2017 11:56 AM
> To: ntsysadm@lists.myitforum.com
> Subject: RE: [NTSysADM] Some advice needed about allowing local C: drive
> access
>
> Why don't they just browse to \\hostname\c$?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Michael Leone
> Sent: 17 February 2017 17:34
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Some advice needed about allowing local C: drive access
>
> I know I've read about this procedure somewhere, but I'm not finding it at
> the moment.
>
> We have this application that writes out it's debug log to c:\debug.
> Now, we hide drive C; from domain users using GPO (User
> Configuration/Policies/Administrative Policies/Windows Components/File
> Explorer/Hide these specific drives ("Restrict A.B.C")).
>
> So what my help desk staff needs to do is to log onto these workstations
> (as a specific domain account), run the software, and need to be able to
> see, read (and optionally write to) this C:\Debug location, to identify/fix
> problems.
> (this is the "Check21" check processing software, if anyone else uses it)
>
> What I don't know is how best to do this.
>
> Oh, sure, I could create a whole new GPO, without that "Hide drives"
> setting, and limit it only to this one domain login. But is there a
> better, more efficient way to do this? I want C: drive hidden from the
> majority of my users, but do need certain logons that aren't limited this
> way.
>
> And I don't want the logon to be local admin, or have any access other
> than just standard domain user (or I could use a Restricted Group).
>
> Thoughts? Advice?
> (Win 2008 R2 domain)
>
>
>


-- 
Daniel Rodriguez
drod...@gmail.com

RE: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Webster 
Or \\ip.ad.dr.ress\c$ that bypasses drive letter blocking.

Thanks


Carl Webster
Citrix Technology Professional
http://www.CarlWebster.com
The Accidental Citrix Admin

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Friday, February 17, 2017 11:56 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Some advice needed about allowing local C: drive access

Why don't they just browse to \\hostname\c$?

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: 17 February 2017 17:34
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Some advice needed about allowing local C: drive access

I know I've read about this procedure somewhere, but I'm not finding it at the 
moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User 
Configuration/Policies/Administrative Policies/Windows Components/File 
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these workstations (as a 
specific domain account), run the software, and need to be able to see, read 
(and optionally write to) this C:\Debug location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a better, 
more efficient way to do this? I want C: drive hidden from the majority of my 
users, but do need certain logons that aren't limited this way.

And I don't want the logon to be local admin, or have any access other than 
just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

Re: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Michael Leone 
The GPO about hiding drives is for A,B,C only. We use Z: as a profile
drive (folder redirected to network storage).

We don't allow regular users access to the command prompt, either, so
the Help Desk can't issue that command.


On Fri, Feb 17, 2017 at 12:45 PM, Erik Goldoff  wrote:
> use the SUBST command ?
>
> SUBST Z: c:\debug
>
> worth testing to see if you have access using Z: or does your GPO quash this
> method ?
>
> On Fri, Feb 17, 2017 at 12:34 PM, Michael Leone  wrote:
>>
>> I know I've read about this procedure somewhere, but I'm not finding
>> it at the moment.
>>
>> We have this application that writes out it's debug log to c:\debug.
>> Now, we hide drive C; from domain users using GPO (User
>> Configuration/Policies/Administrative Policies/Windows Components/File
>> Explorer/Hide these specific drives ("Restrict A.B.C")).
>>
>> So what my help desk staff needs to do is to log onto these
>> workstations (as a specific domain account), run the software, and
>> need to be able to see, read (and optionally write to) this C:\Debug
>> location, to identify/fix problems.
>> (this is the "Check21" check processing software, if anyone else uses it)
>>
>> What I don't know is how best to do this.
>>
>> Oh, sure, I could create a whole new GPO, without that "Hide drives"
>> setting, and limit it only to this one domain login. But is there a
>> better, more efficient way to do this? I want C: drive hidden from the
>> majority of my users, but do need certain logons that aren't limited
>> this way.
>>
>> And I don't want the logon to be local admin, or have any access other
>> than just standard domain user (or I could use a Restricted Group).
>>
>> Thoughts? Advice?
>> (Win 2008 R2 domain)
>>
>>
>

RE: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Webster 
A Deny?


Webster

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Friday, February 17, 2017 11:34 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Some advice needed about allowing local C: drive access

I know I've read about this procedure somewhere, but I'm not finding it at the 
moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User 
Configuration/Policies/Administrative Policies/Windows Components/File 
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these workstations (as a 
specific domain account), run the software, and need to be able to see, read 
(and optionally write to) this C:\Debug location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a better, 
more efficient way to do this? I want C: drive hidden from the majority of my 
users, but do need certain logons that aren't limited this way.

And I don't want the logon to be local admin, or have any access other than 
just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

RE: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread James Rankin 
Why don't they just browse to \\hostname\c$?

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: 17 February 2017 17:34
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Some advice needed about allowing local C: drive access

I know I've read about this procedure somewhere, but I'm not finding it at the 
moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User 
Configuration/Policies/Administrative Policies/Windows Components/File 
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these workstations (as a 
specific domain account), run the software, and need to be able to see, read 
(and optionally write to) this C:\Debug location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a better, 
more efficient way to do this? I want C: drive hidden from the majority of my 
users, but do need certain logons that aren't limited this way.

And I don't want the logon to be local admin, or have any access other than 
just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

RE: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Kennedy, Jim 
I would put a security filter on the GPO where the domain user in question has 
read, but not apply perms on that GPO.

Well, I would create a group and put that user in that group...but you get the 
idea.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Friday, February 17, 2017 12:40 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Some advice needed about allowing local C: drive access

I know I've read about this procedure somewhere, but I'm not finding it at the 
moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User 
Configuration/Policies/Administrative Policies/Windows Components/File 
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these workstations (as a 
specific domain account), run the software, and need to be able to see, read 
(and optionally write to) this C:\Debug location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a better, 
more efficient way to do this? I want C: drive hidden from the majority of my 
users, but do need certain logons that aren't limited this way.

And I don't want the logon to be local admin, or have any access other than 
just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

Re: [NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Erik Goldoff 
use the SUBST command ?

SUBST Z: c:\debug

worth testing to see if you have access using Z: or does your GPO quash
this method ?

On Fri, Feb 17, 2017 at 12:34 PM, Michael Leone  wrote:

> I know I've read about this procedure somewhere, but I'm not finding
> it at the moment.
>
> We have this application that writes out it's debug log to c:\debug.
> Now, we hide drive C; from domain users using GPO (User
> Configuration/Policies/Administrative Policies/Windows Components/File
> Explorer/Hide these specific drives ("Restrict A.B.C")).
>
> So what my help desk staff needs to do is to log onto these
> workstations (as a specific domain account), run the software, and
> need to be able to see, read (and optionally write to) this C:\Debug
> location, to identify/fix problems.
> (this is the "Check21" check processing software, if anyone else uses it)
>
> What I don't know is how best to do this.
>
> Oh, sure, I could create a whole new GPO, without that "Hide drives"
> setting, and limit it only to this one domain login. But is there a
> better, more efficient way to do this? I want C: drive hidden from the
> majority of my users, but do need certain logons that aren't limited
> this way.
>
> And I don't want the logon to be local admin, or have any access other
> than just standard domain user (or I could use a Restricted Group).
>
> Thoughts? Advice?
> (Win 2008 R2 domain)
>
>
>

[NTSysADM] Some advice needed about allowing local C: drive access

2017-02-17 Thread Michael Leone 
I know I've read about this procedure somewhere, but I'm not finding
it at the moment.

We have this application that writes out it's debug log to c:\debug.
Now, we hide drive C; from domain users using GPO (User
Configuration/Policies/Administrative Policies/Windows Components/File
Explorer/Hide these specific drives ("Restrict A.B.C")).

So what my help desk staff needs to do is to log onto these
workstations (as a specific domain account), run the software, and
need to be able to see, read (and optionally write to) this C:\Debug
location, to identify/fix problems.
(this is the "Check21" check processing software, if anyone else uses it)

What I don't know is how best to do this.

Oh, sure, I could create a whole new GPO, without that "Hide drives"
setting, and limit it only to this one domain login. But is there a
better, more efficient way to do this? I want C: drive hidden from the
majority of my users, but do need certain logons that aren't limited
this way.

And I don't want the logon to be local admin, or have any access other
than just standard domain user (or I could use a Restricted Group).

Thoughts? Advice?
(Win 2008 R2 domain)

[NTSysADM] RE: tab in IE11

2017-02-17 Thread Melvin Backus 
I'm not sure you can do this in IE11 as that functionality was supposedly 
removed, but this might work as alternative for your (possibly broken) program. 
 Not direct GPO but if it works it's a starting point.

https://ewingco.wordpress.com/2013/11/26/how-to-disable-tab-browsing-ie-11/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David McSpadden
Sent: Friday, February 17, 2017 8:59 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] tab in IE11

I need to know what to set in Group Policy for IE11 32bit or 64 bit computers 
to disable the tabs.  I need to either just continue reusing the same tab or 
open whole new windows.

I have an app that has to be default tab of the active window or it blows up.
Right now I have two settings  in IE11 set in GPO but when opening this app it 
goes to a new tab in the current window and if I 'tab' back to the original tab 
the app fails to work.

[cid:image006.png@01D288FE.8AD855F0]

any ideas?



David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]  [Description: 
Description: facebook email icon]    
[Description: Description: twitter email icon] 


[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]


This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.


Please consider the environment before printing this email.

[NTSysADM] tab in IE11

2017-02-17 Thread David McSpadden 
I need to know what to set in Group Policy for IE11 32bit or 64 bit computers 
to disable the tabs.  I need to either just continue reusing the same tab or 
open whole new windows.

I have an app that has to be default tab of the active window or it blows up.
Right now I have two settings  in IE11 set in GPO but when opening this app it 
goes to a new tab in the current window and if I 'tab' back to the original tab 
the app fails to work.

[cid:image006.png@01D288FC.0BB45730]

any ideas?



David McSpadden
System Administrator
Indiana Members Credit Union
P: 317.554.8190
[Description: Description: imcu email icon]  [Description: 
Description: facebook email icon]    
[Description: Description: twitter email icon] 


[Description: Description: email logo]
[http://www.amuletsolutions.com/images/mcp.gif]

This e-mail and any files transmitted with it are property of Indiana Members 
Credit Union, are confidential, and are intended solely for the use of the 
individual or entity to whom this e-mail is addressed. If you are not one of 
the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender and delete this 
message immediately from your computer. Any other use, retention, 
dissemination, forwarding, printing, or copying of this email is strictly 
prohibited.

Please consider the environment before printing this email.