How to use GPOs to deny folder permissions

You can use a Group Policy Object (GPO) to deny folder permissions in Windows. Find out how to manage folder permissions with GPOs with this advice from Kevin Beaver.

How can I control folder permissions to prevent users from writing files on their combo drives? Can this be done with a Group Policy Object (GPO)? I want them to have read access only.

For Windows Explorer-based functions, you can deny some folder permissions by setting up a GPO. You can also modify local policies (via gpedit.msc) and enable the "Remove CD Burning features" policy under User Configuration/Administrative Templates/Windows Components/Windows Explorer as shown in the following figure.

Use GPOs to deny write privileges

To deny write privileges for third-party applications, you're likely going to need a lock down tool such as those offered by Faronics and Fortres Grand or a host-based data leakage prevention tool such as those offered by ControlGuard and Verdasys.

Extra information on GPOs and folder permissions

  • Use Group Policy to secure removable storage devices
    Removable devices can be deadly to a Windows network. Check out this tip series to learn how to use Group Policy to prevent devices like USB drives from destroying your network.
  • Selectively set read and write permissions
    Manage the read and write permissions of certain hardware devices like Bluetooth headsets and external drives with this advice from Jonathan Hassell.

  • Group Policy management: Disabling CMD
    You can disable CMD in Group Policy in two steps according to Wes Noonan, our Windows-based network infrastructure security design expert. In this tip, he'll tell you how to prevent your network users from enabling CMD.
  • Restricting user permissions in folders
    If you have a question about managing the permissions of a folder in your domain, this advice from Jonathan Hassell tells you how to set those permissions and prevent users from deleting that folder.

Dig Deeper on Windows OS and management

Virtual Desktop