Announcement

Collapse
No announcement yet.

Redirecting/encrypting all users temp folders?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redirecting/encrypting all users temp folders?

    I want to redirect all users temp folders to an encrypted drive (I'd be just as happy to encrypt them in place using efs but I already have an encrypted drive)

    Is there a way I can make any user account on a machine redirect to a different base path or something? Or force all temp folders to be encrypted in place?

    I'd prefer to do this in a scalable way and one that will affect any new users like Group Policy or something.

    Any ideas?

  • #2
    Re: Redirecting/encrypting all users temp folders?

    Some more info needed:
    - what AD? 2000? 2003?
    - what stations are we talking about?
    - the users' profiles are local? roaming?

    Thank you.

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: Redirecting/encrypting all users temp folders?

      oh, sorry, I should have mentioned that this is a 2003 terminal server in a 2003 AD and that the profiles are local.The users will be using it like an application server where they rdp in to run some heavy processing on vfox.

      Comment


      • #4
        Re: Redirecting/encrypting all users temp folders?

        Here's where this is stored in the registry:

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\Environment]
        "TEMP"="X:\\Users\\%USERNAME%\\TEMP"
        "TMP"="X:\\Users\\%USERNAME%\\TEMP"
        You could use something like I show above in a REG file and play it in your logon script.

        Of course it won't take effect till next logon.

        This doesn't move / delete the existing contents from, what I'm guessing is, %USERPROFILE%\Local Settings\Temp but you could test for existance in the logon CMD or VBS and if not exists, play the REG else move the guts from old to new location.

        There may be a policy setting for this but, even if there is, it won't clean out / move the files from the old to new location.

        Note to others:

        If you are using roaming profiles and each machine does not have this encrypted drive, the thing I know that will work is to use LINKD so %USERPROFILE%\Local Settings\Temp is effectively a mount point for the directory on the encrypted drive. There will be 1 link per user but that could be scripted as follows:
        • Create the new Temp dir on the encrypted drive.
        • Apply the proper ACL's to the new Temp dir
        • Move the dirs / files from old Temp to new
        • Remove the now empty old Temp dir
        • Create a LINKD mounting the new Temp dir in the old location

        I realize this bit doesn't apply to you oh humblest of techs but I thought it would be nice for the record.
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment


        • #5
          Re: Redirecting/encrypting all users temp folders?

          I found the registry entries before posting by googling around but I don't know how to make sure this is applied to all users. If I write a reg and then have a logon batch apply the reg it won't take effect immediately.

          It does look to me that there is a good solution to doing this for all users.

          Is there a setting that forces all temp folders to be EFS encrypted? This would do me instead. I just can't have my data stored on an encrypted drive and then have my temp files lying around, it defeats the purpose of encrypting the drive.

          Perhaps I could add a group policy template to tattoo this onto the registry for all users?

          Comment


          • #6
            Re: Redirecting/encrypting all users temp folders?

            What about using the SET command to change the TEMP and TMP environment variables in a login script? The command will be executed every logon, for every user.
            Never used this method, but you can give it a try.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Redirecting/encrypting all users temp folders?

              could do, but then the problem is that I would have to create separate folders for every user and grant perms to only them, otherwise I'd have to allow full access to d:\temp to everyone and this wouldn't be so good. It would be better handled by a policy or something.

              Comment


              • #8
                Re: Redirecting/encrypting all users temp folders?

                Also, SET only applies for that context. After the Logon CMD ends, it reverts back.

                Try SETX from the W2K Resource Kit OR the Support Tools on your WXP or W2K3 installation CD

                Still guessing it won't apply for the current session.

                Also, oh humblest of techs, I think you're projecting more power on GPO than it could possibly have. If you can change TEMP / TMP in GPO, I seriously doubt it will generate directories and ACL them for you.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: Redirecting/encrypting all users temp folders?

                  I don't think I understand what you need.
                  Please tell us what you need, not how you want it done.
                  You talk about temp files being on an encrypted drive. Now you say you don't want to give each user a folder of it's own. What does that mean? You want that the temporary files to be encrypted while they are created?
                  The GPO ("or something") is the tool to distribute. But first you need a script, or a CMD file, or a REG file, something ...
                  So I think you should concentrate on that.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment


                  • #10
                    Re: Redirecting/encrypting all users temp folders?

                    Originally posted by rvalstar View Post
                    Also, SET only applies for that context. After the Logon CMD ends, it reverts back.

                    Try SETX from the W2K Resource Kit OR the Support Tools on your WXP or W2K3 installation CD
                    You're right, of course. I somehow thought of SETX. Even got the link for it .

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment


                    • #11
                      Re: Redirecting/encrypting all users temp folders?

                      sorry I am not being clear. I do want separate folders for each users' temp obviously but I just don't want to have to go around and create them manually.

                      I need whatever solution to scale so that any new users have the standard automatically and that can be easily standardized, ie no manual effort after the original job of setting it up, at least on each machine wide basis so that any logins on that machine all set temp to d:\temp\%username% or something.

                      I don't want users sharing a temp folder, that would be bad.

                      Comment


                      • #12
                        Re: Redirecting/encrypting all users temp folders?

                        So you running a logon script currently?

                        I think we can craft a bit that tweaks the registry, creates the dir, acl's it properly, and (on next logon) moves the old temp files to the new encrypted location.

                        Users would need to be able to create dirs in the root dir on the encrypted drive.

                        This would eliminate the manual effort.

                        If you want to go with that, let us know. You using a CMD or VBS for logon?
                        Cheers,

                        Rick

                        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                        Comment


                        • #13
                          Re: Redirecting/encrypting all users temp folders?

                          I was thinking along these lines as well. Currently using bat/cmd. The the first session will not have the temp stuff encrypted and people tend to stay logged in forever if you let them.

                          I guess I'll have to go with this if I can't think of a better solution...

                          The only other downer is that I am using Truecrypt and the drive is not available after reboot. You need to log in, mount it and put in a password before you actually get a d drive so there is opportunity for this logon script to fail to create the dir.

                          I'm still finding my way in all this and am groping for better/cleaner/smarter answers than I currently have in my head...

                          Comment


                          • #14
                            Re: Redirecting/encrypting all users temp folders?

                            Originally posted by humbletech99 View Post
                            The only other downer is that I am using Truecrypt and the drive is not available after reboot.
                            Hi, humbletech99.
                            Are you aware of the fact that TrueCrypt supports command-line parameters? That makes mounting a volume a scriptable task.
                            See the list of the command-line parameters.

                            Sorin Solomon


                            In order to succeed, your desire for success should be greater than your fear of failure.
                            -

                            Comment


                            • #15
                              Re: Redirecting/encrypting all users temp folders?

                              I think our client would have some serious objections to doing that though. Wouldn't it mean putting the password in a batch file and assigning that batch file to the domain logon?

                              It would weaken the purpose of having an encrypted drive, although it's still better than not encrypting. I guess I wouldn't be able to stop the domain users from reading the script, although I believe that GPO logon scripts are pushed by AD from the scripts folder in sysvol (I'm not sure users can access this proactively although I do believe there is a default share made for it).

                              Thanks for the idea, I hadn't thought of it actually, I think I heard of the command line option but forgot about it altogether...

                              Comment

                              Working...
                              X