Folder redir permissions
Hello!
I have documents and similar folders redirected to disk D, and I did not grant the exclusive access, because I want administrators to have access. But if I don't grant exclusive access, all authenticated users (even guest!) HAVE read-only access.
So how do I prevent common users and guests from reading other people's stuff? Or how to allow administrators ONLY to read other people's stuff?
Thank you for your time.
April 11th, 2010 4:02pm
This KB article is a good start when it comes to permission problems with folder redirection, http://support.microsoft.com/default.aspx/kb/274443?p=1. Consider setting these ACLs only for testing.Blogging about Windows for IT pros at www.theexperienceblog.com
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2010 8:59am
Took me long, but I got it running. It's pretty universal, everyone should be able to use this script after removing rights for PC Admins (or adding such a group/user).
const HKEY_CURRENT_USER = &H80000001
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
Set objShell = CreateObject("Wscript.Shell")
strValueName = "{374DE290-123F-4565-9164-39C4925E467B}"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current Downloads Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "{56784854-C6CB-462B-8169-88E350ACB882}"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current Contacts Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "Desktop"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current Desktop Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "Favorites"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current Favorites Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "My Music"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current My Music Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "My Pictures"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current My Pictures Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "My Video"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current My Video Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
strValueName = "Personal"
oReg.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
'Wscript.Echo "Current My Documents Folder: " & strValue'
objShell.Run "cacls "& strValue &" /T /E /G ""DOMAIN\Enterprise Admins"":F ""DOMAIN\Domain Admins"":F Administrators:F ""DOMAIN\PC Admins"":F", 0,false
April 19th, 2010 11:42pm