General discussion


deny users access to local disks

By kez_97 ·
i have a problem where users are installing games and other programs on work machines i'm sick of re formatting the damn things all use win 2k pro but i have so far been unsuccesful in denying access to local drives and settings e.g. control panel etc i know in nt you can make "dumb" accounts but 2k allows too much access to the settings for my liking some help please people!



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by voldar In reply to deny users access to loca ...

Hmmm .. you said you have problems with user installing programs and games. I sugest you to make them simple users in your domain (they don't have the right to install programs on their computers), change the local administrator password and never give it to anyone. That's it! If the users have to share folders so that they can communicate - create only one folder in each user computer - under the local administrator account - and share it and that's it.

Collapse -

by voldar In reply to

And because you said they are using laptops - you can create on each laptop a profile that is not using the CD-ROM and make it the default profile. Then you make the users on the laptop part of simple users (and they again - have no rights to modify or install anything else). What I said before, about the domain users is applied also for local users.

Collapse -

by CG IT In reply to deny users access to loca ...

Viadolar has it, but most users don't need a CD Rom to do their work. Just remove the CD Rom [same with the floppy drive] or take the data cable off.

Collapse -

by jeaster In reply to deny users access to loca ...

Assuming you are using a domain, you can also use group policy to hide control panel, the local disks, and limit what programs a user can actually run.

Collapse -

by BudTheGrey In reply to deny users access to loca ...

All the above selections are perfectly viable. If you want to be even more heavy handed, you could purchase and install a program like:
Deep Freeze (,

Fool-Proof (, or

Clean Slate (

All of which protect the computer by returning it to a known state at power-up, un-doing any changes made by the user. At least one of them (FoolProof, I think) can lock down so hard that a "no-no" message is displayed if the users tries to drag a icon to a different area on the desktop.

All a matter of how far you want to go...

Collapse -

by abubin In reply to deny users access to loca ...

i think method will work but method 4 is a little extreme especially when you have to pay extra to handle things.

To add to those already good suggestions, here is what I would do (to make my life easy) :

Leave the cdrom in the system but disable it. either through hardware like disabling the secondary ide or through computer management (under removable storage) in each PC.

Or you can use group policy. Under group policy, you can make all CDROM as D drive and then disable access to D drive. OR you can specify to disallow installation of program from removable drives under "windows installer" group policy. But then this does not mean they can't copy the installation to HDD and then install from there.

I guess it all depends on how extreme you want to implement the policies. If the network is small, my preference would be to limit the cdrom access only to administrators. That way, if the users really need to use the cdrom, they just give you a call and you use "run as..." to give temporary access until the logoff.

If you have large clients, the best method is to use group policy but as you know group policy takes time. But then really have few methods to implement this. For example, you can allow only certain person to use cdrom (someone you can trust or manager). This cdrom is shared among a few person maybe among same deparment. So, blame it on this person if you find that department is playing games.

Hope it helps...

Collapse -

by Tink56 In reply to deny users access to loca ...

We resolved the problem completely by incorporating statements in our Information Security Policy that say before any software is installed on a PC you must get the approval of the IT department.

This not only prevents games and such from being installed; it protects us from unlicensed software being installed which creates a liability for the company.

All employees receive the policy when they are hired. I follow up with new employees a month later to see if they have any questions. Once a year, employees are encouraged to reveiw the policies and if any changes are made, everyone is required to read them and sign a statement saying they understand them.

If you violate the policy it could be grounds for termination. I developed all my policies for computer, internet and email use using some of the resources and downloads available on this site.

Collapse -

by kez_97 In reply to deny users access to loca ...

thanks for all the advice but the problem is they are laptops so are not always connected to the network meaning domain groups and rights need to work away from the office as well as in it i'm still stuck!

Collapse -

by montelski In reply to deny users access to loca ...

Have you tried to logon to the laptops as admin and set the user rights at the pc level ? Rights don't have to be administerd across a domain. They can be restricted at the pc for the user and/or user groups. You can tighten them down pretty tight.

Collapse -

by montelski In reply to

As Theresa said, that is good policy. I know people that have lost their jobs because the installed unauthorized software.

Related Discussions

Related Forums