Preventing Students from Saving Games on the C: Drive

By James Rudd

I wrote this to help a colleague at another school who had students saving games to the C drive of PCs.

PROBLEM: When using Group Policies with ZENworks and Windows XP you may find users are able to create folders and files in root of C:. This is due to the change in default security settings for drives on Windows XP from 2000.


You need to use the Security Template editor to create a template restricting rights to the C: drive and deploy it with your group policies. The same procedure can be used to create a Security Template for use with Active Directory.


  1. Open MMC from run.

  • Add Remove Snap-in.

  • Add Security Templates and Close.

  • By default this only shows C:\Windows\security\templates. I prefer to store mine on the network so add a new network folder.

  • Right click (RC) Security Templates and add a New Template Search Path to network folder.

  • You can then either copy an existing template using RC on template and Save As to network folder or start from scratch.

  • Expand chosen template then File System folder.

  • RC either on File System object or in right hand pane and Add File.

  • Click C: and OK and it should expand to %SystemDrive%.

  • You can now adjust the permissions for the default groups.

  • When finished make sure to RC on the template and click Save. You can also set a description before saving.

I recommend going into Advanced and removing the two entries for Users allowing them to Create Folders and Create Files. This will prevent students and users creating files on C: drive.

You can create similar entries for other folders such as program files, etc. You can also allow students access to folders if required by certain programs or groups. Remember under Novell, because computers are not part of domain you cannot use items you have added such as groups or individual users.

Adding to Group Policy in ConsoleOne

  1. Open up the WS Policy Package, Windows XP tab and the Windows Group Policy item.

    If you are using Zen 7 continue, if using Zen 6.5 click Edit and jump to point 3 in AD below.

  • Click Import Policies.

  • Click Import Security Settings File and browse to the security template you created and import.

  • Make sure Security Settings is ticked under Applied Settings Types.

  • Click OK to save.

Adding to Group Policy in Active Directory

  1. Open Group Policy Management console.

  • Browse to chosen GPO or create a new one, and go to Edit mode.

  • Expand Computer Config -> Windows Settings -> Security Settings.

  • RC on Security Settings and choose Import Policy.

  • Browse to the security template you created and Open. You may also wish to clear any existing settings in GPO.

  • Exit Edit mode.

Multiple Security Templates can be created for different machines.
We allow staff to create files on C: (mainly to keep personal photos and music off network) so we have separate Security Template for Staff and Student PCs.


How To-Best Practice
Comment List
  • Thanks for your tips. It is very useful. I'm also a teacher.
  • How timely ... I JUST created AutoIt scripts for this same thing yesterday!

    Below are the commands I run.

    ;Remove "CREATOR OWNER" group's access to root of C:
    cacls.exe C:\ /E /R "CREATOR OWNER"

    ;Remove "Everyone" group's access to root of C:
    cacls.exe C:\ /E /R "Everyone"

    ;Revoke "Create Folders" and "Create Files" privileges to root of C: for "Users"
    cacls.exe C:\ /E /P Users:R /C

    ;Provide "Users" with all access (except "Full Control") to C:\temp
    mkdir C:\temp
    cacls.exe C:\temp /E /G Users:c

    ;Give "Users" full access to the Recycle Bin
    cacls.exe C:\Recycler /E /G Users:F
Related Discussions