Security Templates

When using Group Policies with Zenworks and Windows XP you may find users are able to create folders and files in root of C:.
This is due to the change in default security settings for drives on Windows XP from 2000.

You need to use the Security Template editor to create a template restricting rights to the C drive and deploy it with your group policies. The same procedure can be used to create a Security Template for use with Active Directory.

Instructions:

  1. Open MMC from run
  2. Add Remove Snap-in
  3. Add Security Templates and Close
  4. By default this only shows C:\Windows\security\templates. I prefer to store mine on the network so add a new network folder.
  5. Right click (RC) Security Templates and add a New Template Search Path to network folder
  6. You can then either copy an existing template using RC on template and Save As to network folder or start from scratch.
  7. Expand chosen template then File System folder
  8. RC either on File System object or in right hand pane and Add File
  9. Click C: and OK and it should expand to %SystemDrive%
  10. You can now adjust the permissions for the default groups.
  11. When finished make sure to RC on the template and click Save. You can also set a description before saving.

I recommend going into Advanced and removing the two entires for Users allowing them to Create Folders and Create Files. This will prevent students and users creating files on C: drive.

You can create similar entires for other folders such as program files, etc. You can also allow students access to folder if required by certain programs or groups. Remember under Novell, because computers are not part of domain you can not use items you have added such as groups or individual users.

Adding to Group Policy in ConsoleOne

  1. Open up the WS Policy Package, Windows XP tab and the Windows Group Policy item.
    If you are using Zen 7 continue, if using Zen 6.5 click Edit and jump to point 3 in AD below.
  2. Click Import Policies
  3. Click Import Security Settings File and browse to the security template you created and import.
  4. Make sure Security Settings is ticked under Applied Settings Types
  5. Click OK to save

Adding to Group Policy in Active Directory

  1. Open Group Policy Management console
  2. Browse to chosen GPO or create a new one, and go to Edit mode.
  3. Expand Computer Config -> Windows Settings -> Security Settings
  4. RC on Security Settings and choose Import Policy
  5. Browse to the security template you created and Open. You may also wish to clear any existing settings in GPO.
  6. Exit Edit mode

Multiple Security Templates can be created for different machines.
We allow staff to create files on C: (mainly to keep personal photos and music off network) so we have separate Security Template for Staff and Student PCs.

About James Rudd

Network Administrator at Sydney Boys High School
This entry was posted in Active Directory, Novell, Windows and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply