0

I would like to use a GPO setting to block users to create folders and files in the root directory in Windows 10. Searching on internet I found the setting

Computer configuration -> Policies -> Windows settings-> Security Settings-> File System

where I created an entry for %SystemDrive%\ where Authenticated users have "Deny" to "Create Files/Write data" and "Create folders/append data", applied to "This folder only".

After saving and linking the GPO, I rebooted the workstation to get the new policies but the settings does not block anything.

Any idea what could be wrong? any other suggestion to achieve the same result?

thanks a lot.

fixer1234
  • 28,064
YaKs
  • 103

2 Answers2

0

We can try to troubleshoot as below:

  1. If the Windows 10 is in the domain environment? If it is in the domain, we can run gpresult report in windows 10 to see if the policy is applied. If it is applied, but it can not block creation folders and files, go to step 2.
  2. Block other folders in the root directory to see if we can applied the group policy successfully. If we can, maybe we can not set the permission of system root directory.
  3. If the Windows 10 is not in the domain environment, please keep in mind that this process is only available to a domain with a server running the Group Policy Management feature... standalone systems and workgroups still need to manually assign these permissions! So we can try to set the permission manually.

Reference:

Assign File & Folder Permissions Via Group Policy

https://www.linkedin.com/pulse/assign-file-folder-permissions-via-group-policy-farid-soltani

Creating File System security GPOs

https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-A8D101D3-729F-4299-A591-4AC55A5DD12E.html

Group Policy – GPResult Examples

https://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html

Daisy Zhou
  • 1,041
0

Bad idea. Don't go there.
Unless ALL your systems are completely locked down to the point no one is ever going to need to install anything.
Blocking folder/file creation at the root of the systemdrive will break a lot of software, especially installers for device drivers as these often create working folders directly from the root of the drive.
Also Windows 10 InPlace Upgrades (and probably some other Windows updates as well) need to write to the root-folder.
And some system-processes, like Hibernate probably don't like this either

And "DENY Authenticated Users", as some people suggest in other answers, ALSO is a DENY for Administrators. DENY overrules everything. An Administrator can undo it, but that takes manual intervention, which is something WindowsUpdate, etc. can't do.

In a managed software environment (like SCCM) you can cobble something up as a wrapper around every installer, but that is a lot of work.
Or you can use a local (non-domain) admin account for SCCM and limit the folder-access for "Domain Users". But that is also hard to setup and possibly a security-risk. (You would need to setup individual passwords for that account on every computer and store these somewhere for use by SCCM. If you use the same password everywhere if one compromized, every computer is.)
In fact: The company I work for actually does it like that with SCCM and individual local admin accounts on every computer (about 200.000 systems), but we aren't crazy enough to lock-down the root-drive. Too much potential for causing all sorts of weird side-effects/problems.

Tonny
  • 33,276