HI,
we run several 2008R2 SP1 Remote Desktop servers. All of them, installed from the official media (so no sysprep images). Out of the box on all our 2008R2 servers, RDS or not, Users have 'Create folders / append data' special permissions on %SYSTEMDRIVE%, so root of C:. I believe they are there for compatiblity reasons but our users found out other uses for these permissions. I want to get rid of them but I can't:
- Settings permissions using normal explorer GUI gives access denied
- icacls c:\ /remove "users" from elevated prompt (although UAC is disabled) gives access denied
- psexec -s icacls c:\ /remove "users" gives access denied (so running as SYSTEM)
- Modifying permissions through GPO, either local or through domain doesn't work, permissions aren't applied (probably also access denied)
- UAC is disabled
I've searched both technet and google and found some of the above solutions but none seem to work for me. So how to prevent users to dump their stuff at C:\?