timex

New Member
Joined
Dec 10, 2012
Messages
2
Hi,
I have this problem of which I couldnt figure the solution on my own.

I am using Win7 Home 64 and I have created second user account on it.

My goal is basically to restrict this account from any access besides Program Files Windows folder and his user profile (C:\Users\SecondUser\..)

I achieved most of it by denying "List folder contents" permission for that particular user on all drives.

Problem is that if I use this on a system (C:\) and second user logs in and wants to (for example) copy something on a desktop or work in Office, it doesnt work properply (C:\ being inaccessible), apparently because Windows/Office need to write temp files to a C:\ (root) all the time, even though you copy/rename/modify files within permission area only (user's profile dir).

What I need to know is how to restrict user/account from listing/reading C:\ (root including subfolders) but be able to write/delete this temporary folders/files so it will work as required.

Maybe there is some other way around it. I would like to know, anyway that works. Thank you.
 


Solution
To restrict a user account in Windows 7 from accessing certain areas while allowing essential operations like writing temporary files, you need to fine-tune the permissions. Here's a step-by-step guide on how you can achieve this: 1. Grant Limited Access to the User Account: - Remove the explicit deny permissions on the C:\ drive that block access. Instead, you can restrict access by only allowing specific permissions. - Go to C:\ drive properties > Security tab > Advanced Settings > Change Permissions. - Add the user account (SecondUser) and grant the following permissions: - Traverse folder / execute file - List folder / read data - Create files / write data - Create folders / append data - Modify (optional, depending on the...
To restrict a user account in Windows 7 from accessing certain areas while allowing essential operations like writing temporary files, you need to fine-tune the permissions. Here's a step-by-step guide on how you can achieve this: 1. Grant Limited Access to the User Account: - Remove the explicit deny permissions on the C:\ drive that block access. Instead, you can restrict access by only allowing specific permissions. - Go to C:\ drive properties > Security tab > Advanced Settings > Change Permissions. - Add the user account (SecondUser) and grant the following permissions: - Traverse folder / execute file - List folder / read data - Create files / write data - Create folders / append data - Modify (optional, depending on the user's requirements) 2. Modify Permission Inheritance: - Ensure that you apply these permissions only to the specific folder and that the subfolders don't inherit these restrictions, which may cause issues with temporary files. 3. Deal with Temporary Files Location: - Some applications need access to the system drive for temporary files. You can redirect these temporary files to a location where the user has write access. This can be done by modifying environmental variables. - Right-click on Computer > Properties > Advanced system settings > Environment Variables. - Edit the TEMP and TMP variables for the user account to point to a location within the user's profile directory where they have write permissions. 4. Testing: - After making these changes, test the access for the SecondUser account by copying files to the desktop or using Office applications. Ensure that temporary files are being written without any issues. By following these steps, you can restrict access to certain areas while allowing essential operations like writing temporary files. Remember to test thoroughly to ensure that the user can perform required tasks without any hindrance. If you encounter any issues during the process, feel free to ask for further assistance!
 


Solution
Back
Top