NT Folders

[kruptos]

Hello all,

Few questions...

1. I am in a NT4 Server Environment with 1PDC and 3BDC's. I have several folders inside a parent folder that need to always be there for mapping reasons. Is there a way to prevent all users(except for domain admin) from moving the folder away from its current directory??? We have had a problem with network users accidentaly moving the folder from where it is supposed to be, to a totally different place which is causing mapping issues. I just basicly want to "Lock" the folder into place so it can't be moved.

2. In NT4 Server is there a way to drop consistent shortcuts icons onto the desktop for all users that log on. I do not want to use a GPO based solution, I just prefer to be able to do like i can on 2000 where you just drop the shortcut into the "C:\Documents and Settings\All Users\Desktop" folder and it displays for all users. Any hints???

Thanks for your help in advance!!!!!

[cryptichavok]

For the first question . you can look in www.download.com and they have file lockers and the admiin could install that on the NT4 and he would have the password for those files

[576869746568617]

Correct me if I'm wrong, but Windows NT calculates permissions from the top down, and uses the most restrictive permissions for a given object. With that said, simply create a user group specifically for accessing that folder.

Set the group permission to that folder as read only Remove all other groups and users that have access to the folder, except the groups and users that you want to have greater than read only access. You can remove the Everyone group, but that may cause compatability issues with Win9x Clients. Do not remove any system accounts, or you'll have problems with backups and the like.

Add all the users/groups that you want to have read only access to the new group. Now check the permissions and make sure no account has "no access", as this is the most restrictive permission, and will cancel out all others. Also make sure that none of the accounts has any explicit permissions for the folder that are greater than read only access, because this will have the oposite effect.

So, what you should end up with is a bunch of users assigned to a group that has read only access, and the user's individual permissions are ser to the same. That should fix that problem.

As for the second problem, why not make shortcuts to the programs and store them on the server, then set the access permissions on the shortcut to give everyone read and execute permissions. You'll have to change the path on the shortcut so that it refers to a network path if the programs are to be accessed from the network rather than hosted on the local machine. Now, create a run once logon script that copies the shortcut to the desktop the first time the user logs on. That should fix problem #2.

EDIT: or use roaming profiles.....(Thanks MsMittens!, I forgot all about those!). And yes, MsMittens, you are correct about GPO. GPO is Win2K or higher only.

[MrLinus]

For question 1, AFAIK, short of a 3rd party util, I don't think there is a way to prevent users from moving folders/files if they have access to the directory (I'm assuming that the users have full access to this directory). It's been a while since I've fully played with NT so I admit being a bit rusty. If the owner of the directory is the admin, would users have ability to move it even if they have RW? (Im assuming no but..) I know if they have Execute rights they can make changes within a folder and Permission rights will allow them to change the permissions of that folder. So perhaps have the folder set with only Admin having Execute rights on the folder(?)

For question 2, AFAIK, Roaming Profiles should help with that (albeit a bit flaky). GPOs are Win2K only I thought?

[SDK]

I have two way to make this

1) Log as domain admin on a Windows XP machine, right click propriete, security, advanced, double click the user (domaine user) and you have a bunch of special access persmission.

2) With Windows NT 4.0 FULLY Patch, you can also. I don't realy know why but when I did a M$ Patch 2-3 months ago, my NTFS Security Windows got a strange Windows 2000 look! I can put a lot more NTFS permission that before with NT. But the best way is to use XP to set ntfs permission on the network drive.

[MrLinus]

Ummm.. stupid question, SDK, but if he's using NT how would he use the features of XP?

[ikalo]

NTFS and share permitions are all you need... it is simple:
1. for folders make read and execute premitions for all users (you can leave full control for admins and system)
2. for files in those folders you can play arround with a lot of combinations.

I think that you can find a lot of details and scenarios in Windows NT help... and you can always try support.microsoft.com ... or their Technet... or google... or whatever...

I'm getting tired.. time to go home I guess....

[SDK]

Originally posted here by MsMittens
Ummm.. stupid question, SDK, but if he's using NT how would he use the features of XP?

I'm pretty sure he have a Windows XP or Windows 2000 Machine around as a client. If doesn't, well, shot me please

[MrLinus]

But he didn't mention it. Even if he does have it as a client then the default permissions go down to that of the NT box (Legacy overrides security for Windows). So it'd be a moot point.

[SDK]

Windows NT Legacy Permission got update at some point in 2003. Don't ask me why and how M$ did that but on my Windows NT 4.0 SP6 Fully Patch Server, I can put Windows 2000/Xp NTFS Permission from the box itself (Not XP). If you want a screen-shot of that, send me a PM