programming an acl program

[Sn00f]

hi,

Just wanted to know if an ACL program which is able to authorise /or not the writing of special file type in a folder, for exemple c:\docs will only be able to store .doc file, or user can only write .doc files in this folder?

OR is it possible to write a program to manage this?

Thank you for your answers :-)

Sn00f

[pthomas]

Ok, curiosity is getting the best of me. Why would you want to do that? Please don't say its just to organize files...

Paul

[Sn00f]

I'm working in a school and wanted to oblige people to save their documents in specified directories so that they don't polluate the system partition with pdf files or xls files. It is also easier to backup disks when moving user to other computer and so on....

anybody else have ideas?

[pthomas]

Well, it's not an ACL program, but I suppose that one way you could do it would be to have a script that deletes all files except ones with the extensions you specify. Then just schedule a task to run each needed batch file like once every 10 minutes or so.

So you'd have a file called like delDoc.bat that deletes all files out of the c:\docs directory that are not .doc files.

one idea,

Paul

[Sn00f]

I can be usefull when for example you want to allow the computer writing .tmp file on c:\ partition, but restrict the user (with only user rights) not writing his documents there. We can't do that with acl's I think.

I don't want to schedule a file deletion, but a restriction of writing there.

For example I don't want them to save downloaded virused .exe files in their documents zone, but they would be able to save their .doc , xls, pdf....., would be some kind of security.....

another example, I have to let write access to c:\ for administrative working tasks, but when I let them write there, they polluate the computer with their files, and it is very hard to save their data from a computer to another...

[pthomas]

Sounds like roaming profiles would work a bit better instead of trying to restrict everything based on file type. Then you could redirect the user's desktop, mydocs and stuff to a network server share and all of this is transparent to the user. Plus is a system goes down, there's now worry about loosing data because it's all on the server.

Setup local security settings so the users don;t have write access to the c:\ drive (that would fulfill restricting the user's write access). Then they can;t populate files all over the computer, have limited access and all of their data is stored on a central location making it all easy to be backed up.

I'm thinking that you're going to have to hop through too many loops to be able to restrict directories based on what type of file. Plus the smarter users could rename their .exe files to a .doc and still put them in the .doc only folder.

As for saved virus-infected files, thats what NAV corp is for

Just my 2 cents,

Paul

[Sn00f]

sorry pthomas, I was on trip for my work ....

Many users on my network are bad on computers.

I thought of that just for better maintenance, adn I didn't know if this was possible to program...

For the renaming problem, it is not a problem.....

I have to give write access for example on c:\ , but I soon as i made that, many users saved their .doc file on root directory....I don't want that! they have to be disciplined. :-)

[pthomas]

Yeah, at the place where I work users tend to beat the snot out or their PCs as well. I'm mostly fighting spyware or trying to figure out how they managed to delete their taskbar or weird stuff like that.

If you've got the space on a network server, then roaming profiles are the way to go to ease your headache with backups and to keep the computers clean. But its a constant battle isn't it?

I've got a lady that works up at our front desk thats quite frankly about as computer stupid as one can get. I was actually chewed out because I upgraded her PC froma 400mhz celery to an XP1800 (officeXP to 2003). And of course stuff was different, hence the new PC. She thought that I "deleted the network" because the shortcuts that XP creates when you browse to different places weren;t there on her new PC.

*sigh*

I'm sure that a program like what you're wanting can be written, but I'm not sure where to start on that one. You can hire a programmer on-line (do a google search there's quite a few websites). I'm only in my 2nd year on my BS degree in computer science, but even with all the programming I've done, I don;t think I could program it!

Go the easy way....discipline them all!!!!

Paul

[Jito463]

This is your lucky day

http://www.faronics.com/html/deepfreeze.asp

Deep Freeze is an awesome tool. I've played with a trial of it and it works. Here's a quote from their website:

Deep Freeze instantly protects and preserves original computer configurations. Completely invulnerable to hacking, Deep Freeze makes computing environments easier to manage and maintain. Each restart eradicates all changes and resets the computer to its original state, right down to the last byte.

You can also specify "unfrozen" areas where they can save their documents and they will not be overwritten, but if they save anywhere else - upon reboot - everything is reset back to the way it was when DF was installed. We're playing with using it on our demo machines at work so customer's can't break the systems. Or if they do, we just reboot to get it back in working order

[Sn00f]

hihihi Paul, your users are as good as mine ! Mine also say the computer doesn't work anymore when a desktop icon has moved or when we upgrade some stuff....

awesome!

They already have a network shared place where they can put all their files but all the department can view their personal things if they put this inton that place. And I don't want to create a personal workplace on the network for 600 people ! :/

That's why we actually have a partition on local drives where they can polluate as much as they want...

Thanks also to Jito463, We use norton ghost corporate, and we col clone every night if we wanted to but those admins (school personal) would cut my neck if I would do so !!

I would appreciate any program which would tell the user: "You can't write your .doc here !!" ...