TCCoA Forums banner

1 - 9 of 9 Posts

·
Registered
Joined
·
2,438 Posts
Discussion Starter #1
Win10, 1803, Enterprise

So the goal here is to have an account that is really stripped down in terms of access to things. Using Group Policy, I've already stripped it down pretty good and am almost happy with it. Here's a list of what's already been removed / disabled:

  • CMD
  • PowerShell
  • Networking functionality
  • Network / Internet access
  • Control Panel
  • App settings
  • Games
  • Access to C:\
It's that last one where I'm not happy with. Apparently, disabling access to C:\ also prohibits access to write to the desktop. I need this account to be able to write to the desktop and that's it. I'm looking for a way to disable access to C:\ but leave an exception where access to C:\Users\[username]\Desktop is available with read and write permissions.

Is it possible to do this through GPO or through Regedit, or any other way?
 

·
Registered
Joined
·
2,438 Posts
Discussion Starter #2

·
Super Moderator
Joined
·
12,230 Posts
For what purpose or user are you building such a stripped down version with such restricted access? Is this for a prison? lol

Our work loaners have full admin rights.
 

·
Registered
Joined
·
2,438 Posts
Discussion Starter #4
Actually, you're pretty close.

I work for a government agency which works very closely with both the Court system and local Sheriff's office. These loaners are going to be given to Jurors for their deliberation purposes. Because it's for deliberation, we don't want the jurors who will be using these computers (laptops) to be doing anything but viewing digital evidence that has been presented to them in court.
 

·
Registered
Joined
·
1,916 Posts
The simplest solution would be to partition the drive and put all user files (desktop, documents, etc) under a different drive letter.

I do this on my personal computer, I have my boot drive (C:) hold program files, etc, but have all my user files on a completely separate physical drive, but I'm assuming you don't want to put extra money into the test rig, so a partition for user files would do the job.
 

·
Registered
Joined
·
2,438 Posts
Discussion Starter #6
Before creating the user profile on the computer, would I be able to tell Windows where to load the user profile? So, instead of loading the profile to the default location of C:\Users\[USER], I would tell Windows to load the profile to say, D:\Users\[USER]?

The other option that I'm thinking of, is hiding the view of C:\ but not restricting access to it. However, in place of not restricting access to C:\ I would hide any and all options of manually navigating to C:\ such as removing or restricting ass to RUN, Internet Explorer / Edge (it doesn't have network access anyway), and hiding the address bar of file explorer.
 

·
Super Moderator
Joined
·
5,005 Posts
Before creating the user profile on the computer, would I be able to tell Windows where to load the user profile? So, instead of loading the profile to the default location of C:\Users\[USER], I would tell Windows to load the profile to say, D:\Users\[USER]?
You mean like this? https://www.tenforums.com/tutorials/1964-move-users-folder-location-windows-10-a.html

Bad news is, you set this up in the original installation; so you'll have to redo what you've already done.

GOOD news should be "Can just open notes and slough through it again". If you can't, THEN MAKE YOUR NOTES AS YOU GO.

RwP
 

·
Super Moderator
Joined
·
12,230 Posts
Actually, you're pretty close.

I work for a government agency which works very closely with both the Court system and local Sheriff's office. These loaners are going to be given to Jurors for their deliberation purposes. Because it's for deliberation, we don't want the jurors who will be using these computers (laptops) to be doing anything but viewing digital evidence that has been presented to them in court.
Ah, yes ... the prison of jury duty. It makes perfect sense.
 

·
Registered
Joined
·
2,438 Posts
Discussion Starter #9
You mean like this? https://www.tenforums.com/tutorials/1964-move-users-folder-location-windows-10-a.html

Bad news is, you set this up in the original installation; so you'll have to redo what you've already done.

GOOD news should be "Can just open notes and slough through it again". If you can't, THEN MAKE YOUR NOTES AS YOU GO.

RwP
Notes? You should see how tedious I am with my documentation on everything new I come across!!! :D

I'll try the "hide C:\ and run" thing I mentioned earlier first. If that still doesn't work out how I like, I'll do the new install thing a run.

Ah, yes ... the prison of jury duty. It makes perfect sense.
What's funny is when I was called up for jury duty earlier this year, it fascinated me how different their processes are done in the county I live in vs. the county I work for.
 
1 - 9 of 9 Posts
Top