Restrict Drive Access

[Dell and Rodney]

I have 4 partitions on my server. I want to be able to restrict 3 of them and allow one to be used to allow people to use and browse. I created a GPO and have an option which allows me to do that but not necessarly the way i want it i.e. restrict all drives, restrict A and B, restrict A, C, D etc etc but it doesnt make a lot of sense. Could someone advise please

Cheers

[valter]

How can users browse anything on the server unless it's shared!? Why would you restrict access to server partition when it's already restricted ... the only share by default is the "$" (admin) share ...

[Dell and Rodney]

Well what i mean is to have 1 drive that users can use and browse. I dont want them to be looking in the C:\ drive

Why would you restrict access to server partition when it's already restricted

I logged in as this user and i could browse around C:\ drive which is something i dont want to allow

Cheers

[valter]

Well what i mean is to have 1 drive that users can use and browse. I dont want them to be looking in the C:\ drive

Why would you restrict access to server partition when it's already restricted

I logged in as this user and i could browse around C:\ drive which is something i dont want to allow

Cheers

<{POST_SNAPBACK}>

you mean you're logged in as a user phisicaly on the server or from the workstation?

[Dell and Rodney]

Im logged into the server (not from a workstation) as a limited user via the GP ive set up, sorry for the confusion.

Limited User (logged onto the server) - Drive C, D, E, F and G - Allow access to ONLY E drive and restrict access to others however still allowing users run programs such as Microsoft Office etc

[valter]

Maybe you should modify default domain controller policy ... anyway, users are not suppsed to log in onto server (phisicaly)

[Bad boy Warrior]

This is a good question but what if i didnt want to allow some users to view my drives content???????? - the GPO only has daft sequences such as Restrict Drive A or A and B or A, B and C - so far i thought about removing share access and putting in peeps names that i want to allow access (right click the drive then sharing/ security) but dont know if thats recommended

[jondercik]

First off, like others have said users should NOT be logging on to servers directly AT ALL.

Secondly, the way to restrict what they can see is by using ntfs permissions look them up. They should only be accessign servers by shares. Anything else is wrong.

[tguy]

You can use CACLS.EXE or XCACLS.EXE from the resource kit to set NTFS permissions on the drive partitions you wish to restrict.

Make sure the Everyone group and Users group (Windows 2003) are removed from the ACL list. Be careful when you do this though as it may break some applications.

Like the others said, users should not be logging on to the server console, only to shares on the server. Restrict their access at the share level.

If it is application developers, or junior admins, etc. use restricted permissions.

Hope this helps.

[Bad boy Warrior]

First off, like others have said users should NOT be logging on to servers directly AT ALL.

Secondly, the way to restrict what they can see is by using ntfs permissions look them up. They should only be accessign servers by shares. Anything else is wrong.

I was only offering an opinion to D&R, which is why i wrote if it may not be recommended as im fairly new to Windows Server 2003 and thought to share an idea.