Keeping a user captive in XP - restricting writes, directories, etc.

Hi all-

Does anyone know if there's a way to limit where a user can write to
in XP? Preferably without add-on software, but if commercial access
control software is required, recommendations are helpful.

Without getting into the long and short of it - I have some machines
that are going to be shared, all amongst authorized users. I'd rather
that the users don't see each other's data (which, just using NTFS
permissions would be sufficient if the users behaved properly), so I'd
like to do two things - one, keep all writes (except for operating
system patches/updates/caches/etc.) off the C: drive and into a
designated area (think sandbox, but not quite). Two, I'm going to
devise a set of scripts that would run at logon and logoff, to cleanse
this area to ensure that no data from the prior user has been left
behind.

Anyone know if what I'm suggesting is feasible/doable? I've never
tried to keep a user completely off C: before, and the research I've
done thus far indicates it's not possible. It is very similar to most
Citrix deployments, where a thin-client user would be given a C:\
that's read-only (to them at least).

Any advice is greatly appreciated!

-GC

giantcrazy@gmail.com wrote:
> Does anyone know if there's a way to limit where a user can write to
> in XP? Preferably without add-on software, but if commercial access
> control software is required, recommendations are helpful.

File and Folder permissions (NTFS.)

> Without getting into the long and short of it - I have some machines
> that are going to be shared, all amongst authorized users. I'd
> rather that the users don't see each other's data (which, just
> using NTFS permissions would be sufficient if the users behaved
> properly), so I'd like to do two things - one, keep all writes
> (except for operating system patches/updates/caches/etc.) off the
> C: drive and into a designated area (think sandbox, but not quite).
> Two, I'm going to devise a set of scripts that would run at logon
> and logoff, to cleanse this area to ensure that no data from the
> prior user has been left behind.

Unless you have given your users too much power on the local machine - they
should not be able to see one another's files anyway.

> Anyone know if what I'm suggesting is feasible/doable? I've never
> tried to keep a user completely off C: before, and the research I've
> done thus far indicates it's not possible. It is very similar to
> most Citrix deployments, where a thin-client user would be given a
> C:\ that's read-only (to them at least).
>
> Any advice is greatly appreciated!

I'm really having trouble seeing what it is you are trying to accomplish vs.
just using NTFS file/folder permissions. I have managed machines that had
potentially 40,000 users per machines (whole open labs for universities) and
no matter how many users accessed a given machine during a given period of
time - I had no worries that one user could see/affect another user's files.

Please explain this statement in full...

"... which, just using NTFS permissions would be sufficient if the users
behaved properly ..."

Are you trying to resolve a social/training issue with technology?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Shenan-

The problem is I can't guarantee that these users won't have
administrative rights. That's why the goal here is to combine the
NTFS permissions with a cleanup utility, either scripts or software,
that would take all the files created by the previous user and delete
them. Granted, there are pitfalls there too (people can bypass
startup scripts, etc.), but I want to attack the problem on as many
levels possible.

Thanks,
-GC


On May 15, 5:33 pm, "Shenan Stanley" <newshel...@gmail.com> wrote:
>
> Please explain this statement in full...
>
> "... which, just using NTFS permissions would be sufficient if the users
> behaved properly ..."
>
> Are you trying to resolve a social/training issue with technology?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Wayhttp://www.catb.org/~esr/faqs/smart-questions.html

giantcrazy wrote:
> The problem is I can't guarantee that these users won't have
> administrative rights. That's why the goal here is to combine the
> NTFS permissions with a cleanup utility, either scripts or software,
> that would take all the files created by the previous user and
> delete them. Granted, there are pitfalls there too (people can
> bypass startup scripts, etc.), but I want to attack the problem on
> as many levels possible.

So - as I said - you are trying to fix a social issue with software. This
is a problem that needs to be fixed with policies/procedures and tangible
consequences.

As you seem to know - nothing you do - if the user has administrative
rights - will have the impact it needs. :-(

If the users have roaming profiles - you could change group policies so that
the profile is deleted after it is uploaded back to the server (when the
user logs off.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Not quite a social issue as much as an environmental issue - this is a
large corporate environment which is unfortunately in a pre-merger
state, so there are a lot of complications along the way. If it was
as simple as ensuring that all the users were not granted admin rights
or applying some policy enforcements at the domain level, I'd be a lot
better off :-(

That said - I realize that containing and cleansing the users is
somewhat kludgey, but after examining the parameters that I have to
work with (the need for a solution yesterday, unwillingness of various
administrative groups to work together towards a solution), it's the
only choice I've got.

Besides, after having the suggestion pop up in one of the calls
regarding the requirement, I'm curious more than anything. Is there
any reliable way to force a user into a very limited set of
directories?


On May 15, 9:08 pm, "Shenan Stanley" <newshel...@gmail.com> wrote:
> So - as I said - you are trying to fix a social issue with software. This
> is a problem that needs to be fixed with policies/procedures and tangible
> consequences.
>
> As you seem to know - nothing you do - if the user has administrative
> rights - will have the impact it needs. :-(
>
> If the users have roaming profiles - you could change group policies so that
> the profile is deleted after it is uploaded back to the server (when the
> user logs off.)
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Wayhttp://www.catb.org/~esr/faqs/smart-questions.html

Maybe Windows SteadyState would let you do what you want.

http://www.microsoft.com/windows/pro...s/default.mspx


<giantcrazy@gmail.com> wrote in message
news:1d4cf5d8-ecf4-4159-b38d-0d371faf0c66@c65g2000hsa.googlegroups.com...
> Hi all-
>
> Does anyone know if there's a way to limit where a user can write to
> in XP? Preferably without add-on software, but if commercial access
> control software is required, recommendations are helpful.
>
> Without getting into the long and short of it - I have some machines
> that are going to be shared, all amongst authorized users. I'd rather
> that the users don't see each other's data (which, just using NTFS
> permissions would be sufficient if the users behaved properly), so I'd
> like to do two things - one, keep all writes (except for operating
> system patches/updates/caches/etc.) off the C: drive and into a
> designated area (think sandbox, but not quite). Two, I'm going to
> devise a set of scripts that would run at logon and logoff, to cleanse
> this area to ensure that no data from the prior user has been left
> behind.
>
> Anyone know if what I'm suggesting is feasible/doable? I've never
> tried to keep a user completely off C: before, and the research I've
> done thus far indicates it's not possible. It is very similar to most
> Citrix deployments, where a thin-client user would be given a C:\
> that's read-only (to them at least).
>
> Any advice is greatly appreciated!
>
> -GC