I deploy Windows 2000 Professional to users on Hewlett-Packard (HP) PCs. I use the recovery CD-ROM that ships with each unit to create a master computer that I'll image with Symantec's Norton Ghost. The problem is that the HP recovery CD-ROM installs the C partition as FAT32, and when I convert the partition to NTFS, Everyone has full control of the system folder. Realizing that users need Change access to some files in the \winnt folder, I'm reluctant to just reset the permissions and propagate them down the tree. In light of these problems, what's the best way to reset NTFS permissions on the C partition after converting it from FAT32?
I recommend that you read about the security templates that come with Win2K. Try security templates, predefined templates in Win2K's Help text index. Specifically, the basicws.inf template secures the system root folders in the way that you need. You can use the Secedit command-line tool to apply these templates from the command line. However, be sure to thoroughly test the configuration before you deploy your image. Log on as a regular user and fully exercise all applications to make sure that you haven't broken anything.