Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Default drive C permissions? 1

Status
Not open for further replies.
pinkpanther56

pinkpanther56

Technical User
Jun 15, 2005
807
GB
I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute. After discovering a few folders that seem to of been created by either spyware or rogue apps i'd like to remove this.

1. Who here removes the creator owner group from the root of the C: drive?

2. What problems is this likely to cause?

3. How can i go about removing this access on clients that are already on the network?

Thanks for any input.
 
Sort by date Sort by votes
I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute.
Click to expand...

Is this true? - that is you don't mention that system and administrators also have full permissions (generally the creator is also administrator).

If you don't use internet from Administrator level accounts, you greatly reduce the chance of what you have had happening.

1. I don't remove creator/owner - can't see the point.
2. Don't know as don't do it, but can't see problems as system and administrators will still have full permissions.
3. What does being already on the network have to do with changing permissions? Or are you asking how to change lots of machines remotely?

As I mentioned earlier, best approach afaik is to use limited accounts for internet access.
 
Upvote 0 Downvote
You might see an account with the name "Owner" when you first log on. The owner account, with computer administrator privileges, is created during installation if no user accounts are set up at that time. You can rename this account with a user's name".

In SP2 this is listed as "Creator Owner" with no boxes checked under the Permissions, except for "Special Permissions". By checking for "Creator Owner" under Advanced/ Effective Permissions, you can see the Permissions for the Owner. On this machine, there were no boxes checked in Effective Permissions, which means that it has no access whatsoever.

User listed under the Security Tab of C: -

Administrators
Creator Owner
Everyone
System
Users

How To Reset Security Settings Back to the Defaults

How to apply the same Group Policy to many machines in a Workgroup environment.
faq779-5596

Script/Batch changing file permissions?
thread779-1300502
 
Upvote 0 Downvote
wolluf yes the admin and system permissions are listed as well.


Linney, these are domain machines and everyone logs on as a restricted user so they can't write data to program files or windows. I've noticed that even though they can't see the C: drive it is possible for them to create folders or file in the root of C:.

If they manage to do this then the user is listed as creator owner and has full permissions when you view the advanced NTFS permissions. I'd like to make it so users cannot create folders at all.
 
Upvote 0 Downvote
If the users don't belong to any groups defined to have security access to the C: drive, then they shouldn't be able to create anything in the root (are there other permissions there you haven't mentioned?). How is it possible for them to create files/folders - specially as they can't see C: (is it the users or a system process. If it is the users, is it intentional - ie, do you have clever users who are trying to circumvent security?). As I said earlier, can't see why removing create/owner cause problems - why not try it out on one machine and see if:-

1. It does/doesn't cause problems
2. It stops the creation of files/folders under C:.
 
Upvote 0 Downvote
Well i suspect it's an app that some users are running off the net like a java game that sometimes created the folders. I also suspect these students are trying to get around security and maybe installing apps in the directory e.g. firefox portable.

If i logon to a standard XP SP2 box as a restricted user i can create a folder in the root of C: have you tried this?

The permissions on C are:

Administrators: FULL
CRATOR OWNER: Special permissions (if i create a folder as a student their username shows as the OWNER and they have FULL special permissions.
Everyone: READ
SYSTEM: FULL
Users: READ


Thanks.
 
Upvote 0 Downvote
Yes, by default, a limited user is able to create a folder in the root of a drive, and then as he is the owner of the folder he can then create files in that owned folder. A limited user is not able to create files in the root of a drive. This seems to hold for both XP and Vista.

By fine tuning the permissions, see the earlier link, you can prevent the creation of folders too.
 
Upvote 0 Downvote
Right cheers i'll take a look at that.

Do you know if it's possible to set permissions as a station builds off our RIS server, unattend.txt option maybe or will i have to script this once windows is installed?

Thanks.
 
Upvote 0 Downvote
Ok that worked so now i only see Admins, System and users on the root of C:.

I had a look at the windows folder and noticed that Creator owner also has FULL special permissions there but they 'cant' create folders in there.

Any chance you can put my mind at rest and explain that i'm feeling a bit confused?

Thanks.
 
Upvote 0 Downvote
Not really, now you see why I am happy to plod along with Default Settings, life is so much simpler.

Is it Inheriting anything from the C: drive permissions? Conversely is in NOT Inheriting the permissions you set for C:? Have a look at Inheritance, and I don't mean what your rich relative may have left you in their will.

"How Inheritance Affects File and Folder Permissions"

Set permissions for folders and files

Have a look at this tool, it may come in handy?

SubInACL (SubInACL.exe)
 
Upvote 0 Downvote
Ok i think i've worked it out. Windows and Program Files are not to set to inherit permissions so changing the C: drive root permissions doesn't affect them.

The difference is in the advanced permissions area, you can select a number of options from the 'Applies to' drop down box when editing the advanced permissions. In these areas the drop down is set to 'Subfolders and files only' not 'This folder, sub folders and files' so the creator owner 'write' permissions never apply to the current folder.

Bit odd but that seems to be it.

Thanks for your help along the way.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grnzbra
  • Locked
  • Question
Formatting Full Hard Drive 1
Replies
7
Views
821
austinpctech
austinpctech
Sebastian42
  • Locked
  • Question
Getting a drive REdetected
Replies
18
Views
1K
Rick998
Rick998
dpellegrini
  • Locked
  • Question
Unable to map a drive
Replies
12
Views
973
dpellegrini
dpellegrini
Sebastian42
  • Locked
  • Question
Inappropriate drive icon being allocated 1
Replies
2
Views
276
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Windows 7 Pro Red X on mapped drive 1
Replies
14
Views
595
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top