Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Restrict users from saving to the desktops

  • 16-07-2008 3:15pm
    #1
    Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭


    Have a site with 50 users (server 2003 with xp pro clients) and I have via gpo set the c drive to hidden so they cannot get the option to save to it, I have redirected their my documents to a mapped drive, the problem i am having is they still save to the desktops no matter what is said to them.
    GPO does not seem to have an option to stop them from saving to the desktop and I ahve googled for hours and come up with nothing better than a reg edit to restrict the users rights on the desktop.

    Any idea's?


Comments

  • Closed Accounts Posts: 1,178 ✭✭✭dade


    creating a mandatory roaming profile for all users might do this, so they change but when they log in the mandatory profile is logged. not sure how this would effect your redirects of my docs etc but I reckon using the roaming profile would allow the use of redirects also


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    bit dirty maybe

    make the desktop folder read only?


  • Closed Accounts Posts: 1,178 ✭✭✭dade


    ntlbell wrote: »
    bit dirty maybe

    make the desktop folder read only?

    was just thinking along teh lines of this, could you within a login script change the properties of "c:\documents and settings\%username%\desktop" to read only and have that run at login.

    the only issue i see here is if the user has local admin rights they can just change the permissions.


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    You would think this would be a common issue and microsoft would have a tab in gpo for it.


  • Closed Accounts Posts: 1,178 ✭✭✭dade


    they may not create it because some applications once installed automatically create a short cut to desktop so a policy like this would stop that. Or they couldn't be bothered;)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,081 ✭✭✭unnameduser


    or change ntfs permissions on the desktop folders?


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    jamesd wrote: »
    You would think this would be a common issue and microsoft would have a tab in gpo for it.

    i disagree, i dont see the necessity for it to be honest.

    The only reasonable way to do this is to enable a redirected desktop

    user configuration > windows settings > folder redirection (right click desktop)
    • Create an NTFS share e.g. \\fileserver\userdesk
    • place all application shortcuts you wish to use in this folder.
    • Assign only administrators full control and users read only to the directory
    • enable desktop redirection on a group policy over the users to the above folder

    presto read only desktop. All users will use this a shared workspace for a desktop but none of them can write to it.

    I used this option a few years ago with roaming profiles and citrix ica shortcuts, worked great but users hated not being able to use their desktop for storage.

    THe shortcuts will only work if the application is installed locally on the pc and the applications must be installed in the same path as specified in the shortcuts.


  • Registered Users, Registered Users 2 Posts: 20,844 ✭✭✭✭cormie


    Just on a similar note, does anyone know how to make files ALWAYS save to the desktop? I don't use my documents or anything like that so when files are saved there, I always end up putting them on the desktop until I'm finished with them. That said, some programs ask where to save files, and I've picked the right location (not the desktop) for these, so wouldn't want these settings to be lost :)


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    cormie wrote: »
    Just on a similar note, does anyone know how to make files ALWAYS save to the desktop? I don't use my documents or anything like that so when files are saved there, I always end up putting them on the desktop until I'm finished with them. That said, some programs ask where to save files, and I've picked the right location (not the desktop) for these, so wouldn't want these settings to be lost :)

    internet explorer i assume?
    • Start > run > regedit
    • In the left hand pane navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    • Right click on the white region of Regedit's right hand pane, click New, and then click String Value
    • Enter Download Directory for the name of the new DWORD Value and press Enter. The new value should now appear in Regedit's right-hand column.
    • Right click the new value and choose Modify.
    • Click Modify and set the Value Data field to be the path to the directory you want IE to send downloads, then click OK.


  • Registered Users, Registered Users 2 Posts: 20,844 ✭✭✭✭cormie


    Sorry, it wasn't for Internet Explorer, I use firefox:o

    was just wondering if it was possible for the likes of when I scan files, or go to save a file from MS paint and the likes :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance




  • Registered Users, Registered Users 2 Posts: 20,844 ✭✭✭✭cormie


    thanks, will have a look later :)


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    cance wrote: »
    i disagree, i dont see the necessity for it to be honest.

    The only reasonable way to do this is to enable a redirected desktop

    user configuration > windows settings > folder redirection (right click desktop)
    • Create an NTFS share e.g. \\fileserver\userdesk
    • place all application shortcuts you wish to use in this folder.
    • Assign only administrators full control and users read only to the directory
    • enable desktop redirection on a group policy over the users to the above folder

    presto read only desktop. All users will use this a shared workspace for a desktop but none of them can write to it.

    I used this option a few years ago with roaming profiles and citrix ica shortcuts, worked great but users hated not being able to use their desktop for storage.

    THe shortcuts will only work if the application is installed locally on the pc and the applications must be installed in the same path as specified in the shortcuts.

    This doesn't seem to be a reason not to have a GPO for it

    What if you don't use folder redirections?


  • Closed Accounts Posts: 1,178 ✭✭✭dade


    cormie wrote: »
    I don't use my documents or anything like that so when files are saved there, I always end up putting them on the desktop until I'm finished with them.


    If its office then go to Tools and options, theres a location tab there and you can change the default save location that way.

    other apps may have a similar option


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    ntlbell wrote: »
    This doesn't seem to be a reason not to have a GPO for it

    What if you don't use folder redirections?

    i didnt state in the first place this was a reason not to have a group policy option for it, i said i didnt feel it needed an option.

    I was merely offering a solution that i knew worked.


  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    cance wrote: »
    i didnt state in the first place this was a reason not to have a group policy option for it, i said i didnt feel it needed an option.

    I was merely offering a solution that i knew worked.

    But why would it not be needed, it clearly is needed, for when your solution is not an option :)


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    I think it is needed very much, would save alot of bother.


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    jamesd wrote: »
    I think it is needed very much, would save alot of bother.

    bah, picking me up on my opinion but ignoring any help i've tried to add :(

    would you consider using redirected desktop?

    i was thinking about another option and somebody mentioned changing the security settings on the desktop folder... this could be done with a login script if you were that way inclined.

    you could use xcacls, in a login script, i'm on a linux pc at the moment but there is a variable in windows for the users profile path, all you would have to do is add a deny write to users on the desktop folder for the user logging in.

    i.e. something like this:

    %sytemdrive%
    cd %userprofile%
    xcacls desktop deny write to users (dont have the program in front of me to get the exact statement)


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    Im going to have a look at redirecting the desktop today, I can see it getting messy though as I have all my users in 1 OU in AD and by applying this they will all have the same desktop even though there are different departments running different applications, I cannot move my users into different OU's as this is a standard set by their headquarters. Maybe I can look at have 4 folders on the desktop 1Sales , 2 Reservations and so on and in those folders have the shortcuts for their specific applications


  • Registered Users, Registered Users 2 Posts: 30,470 ✭✭✭✭Ghost Train


    can you not just give everyone roaming profiles, so anything in their complete documents folder (including desktop) is backed up on the server

    if you know how to edit the registry to restrict desktop permissions, the other options would be to creat a custiom .adm file based on the registry setting, and add this administrative template to the OU GPO

    example adm file to disable usb writing is here , you might be able to edit it to change the registry setting you want to control the desktop with


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    jamesd wrote: »
    Im going to have a look at redirecting the desktop today, I can see it getting messy though as I have all my users in 1 OU in AD and by applying this they will all have the same desktop even though there are different departments running different applications, I cannot move my users into different OU's as this is a standard set by their headquarters. Maybe I can look at have 4 folders on the desktop 1Sales , 2 Reservations and so on and in those folders have the shortcuts for their specific applications

    well in that case you could apply group policys based on group membership, in the GPMC (group policy management console) you can set security filtering.

    filter the group policys by group and you can have as many desktops as you like.


  • Registered Users, Registered Users 2 Posts: 3,247 ✭✭✭goodlad


    Or you could use a Group Policy to hide all items on the desktop?
    They aint gonna save there if they then cant see and asccess the file.


Advertisement