So Long, Security Tab!
Hide the Security tab from your domain users.
Chris, I have a Windows 2000 domain controller and Windows XP Professional client machines. I set up GPOs to restrict users not to use different Windows XP features, but I don't know how restrict users from seeing the Security and Customize tabs when they right-click on the Shared NTFS folder on the network (see the figure in the answer below).
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Kashif, if this was a Windows 2003 domain, this problem would be pretty easy to solve, since there are many more GPO options available. For example, you can edit a Windows 2003 domain GPO to remove the Security tab in Windows Explorer by editing the following setting: User Configuration | Administrative Templates | Windows Components | Windows Explorer | Remove Security Tab. Note that this is also available for local Group Policy Objects on Windows XP.
(Figure 1. Reader wants to hide the Security and Customize tabs shown here.)
While this specific setting is not
available in Windows 2000, there is one other very good option which would work very well in your case. Since you mention that you are already using Group Policy to lock down the Windows XP systems, you can edit your existing GPO and set the following value to enabled: "User Configuration | Administrative Templates | Windows Components | Windows Explorer | Disable Windows Explorer’s default context menu." This will take away all of Windows Explorer’s right-click options. If you’re wondering if users can bypass this setting by just accessing the right-click features from Windows Explorer’s File menu, Microsoft thought of that too. So while users may see the Properties option when they click the File menu, clicking on Properties will do nothing, except frustrate the user.
The problem with this approach is that sometimes users like having the context menu for other applications. So, if there’s no context menu in Windows Explorer, users will not be able to do things such as select "Open With..." and choose which program to open a file, or have access to any custom context menu objects that were added by third-party applications. Since they could open any file from the application itself, this should be seen as a minor inconvenience (as administrators, that’s always easy for us to say).
Now, another way to get rid of the Security tab is to use permissions on your file server. In the parent shared folder, you can disable permissions inheritance, then assign the minimum level of access permissions that are needed for each user group. You can also just do this at the parent drive level, as opposed to at each parent shared folder. So Domain Admins will likely retain full control, while every one else will have lower permissions. Next, you can prevent normal users from seeing the Security tab on the server by following these steps:
- Access the properties of the parent shared folder in Windows Explorer.
- Click the Security tab.
- Now click the Advanced button.
- Click Add.
- In the Select User, Computer, or Group dialog box, select the group to restrict (for example -- Users).
- In the Permission Entry dialog box, select the Deny checkbox next to Read Permissions.
This will prevent users from even seeing the Security tab while connecting remotely. Depending on the number of file servers that you have on your network, this could take considerably longer to implement than using a GPO. Naturally, the additional domain GPO settings available in Windows Server 2003 are worth the upgrade. But if that’s not the case, you still do have a few options.