question

SreekumarSreevalsan-8494 avatar image
0 Votes"
SreekumarSreevalsan-8494 asked SreekumarSreevalsan-8494 action

User access restriction to only user profile

Hi Team,

How can I restrict a user to only access his profile C:\Users\exampleuser1.

Rest everything should be locked such as folders in C drive the user shouldn't be able to create any folders in C drive or any.

Standard read or write access to Program Files or Windows should maintain as is.

Usage applies to all users in the Active Directory.

windows-10-security
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image Reza-Ameri ·

Would you mind explain why you are looking for this case?
Enforcing such restriction would stop several programs and application from working because user need access to those locations and applications would need read and write permission.
Alternative could be using the Kiosk mode which you restrict users to run specific applications.

0 Votes 0 ·
SreekumarSreevalsan-8494 avatar image SreekumarSreevalsan-8494 Reza-Ameri ·

Thank you for replying to my question.
The need is management's decision of employees not to keep their files in C drive. Rather restricting the user to see his/her files.

Example scenario

A common computer in marketing department have two user with one drive named C
1) user1 with profile saved in c:\users\user1
2) user2 with profile saved in c:\users\user2

User1 or user2 should not create any personal folders in C Drive
User1 should be able to access his/her files in c:\users\user1
User2 should be able to access his/her files in c:\users\user2

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered SreekumarSreevalsan-8494 commented

Hi,
User permissions on the C drive were assigned as following by default:
91519-4277.jpg

When i changed the permission for the authenticated users to have permission as following:
91590-4278.jpg
Then users can only write data to their own profiles.
They don't have write permission to C drive.
And this applies to all the users log to this computer.

If you want to deploy the permission on all the computers
You can configure the permission through group policy under Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “File System”
Best Regards,


4277.jpg (50.7 KiB)
4278.jpg (66.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image FanFan-MSFT ·

Hi,
 
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·
SreekumarSreevalsan-8494 avatar image SreekumarSreevalsan-8494 ·

Hello,

thanks for the wonderful reply, had gone to the policy setting which you have mentioned below
If you want to deploy the permission on all the computers
You can configure the permission through group policy under Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “File System”

The same is not show as attached in the figure below, can you please advise
93506-gpoquestion1.png


0 Votes 0 ·
gpoquestion1.png (14.1 KiB)