dsheltzel
asked on
How do I disable creating shortcuts?
I work for a high school, and have a real stringent GP in place as to what I allow and do not allow students to do on public PC's. I have discovered as of late, if your right click on the desktop, and create a new shortcut, type in shutdown -i, and open it, studets can access a shutdown window to shut down other PC's. Students have local admin rights on different PC's as they need it to run certain apps. I have all the security locked through group policy. How can I disable this or disable students being allowed to create shortcuts withkout removing them from the admins group and how can it be done through group policy?
Thanks you!
Thanks you!
t_hewlett
I'm sure you can provide a list of programs which the GP will no allow to run. just creat a new GP or edit an existing one and add in the shutdown.exe command. This should prevent them form running the program in future. I'm looking for the exact setting now..... hang on
Just Make them a Member of the Power Users
Then Adjust the Rights on apps to allow Power Users to Run them as Adminstrators...
To do this just use My Computer Explore , C , Program Files and find the application they need to run.
Right Click on the EXE that runs the Application then Click on Properties tjhen the Security Tab,
Click on the Power Users Group and give it admin rights for that file....
Then Adjust the Rights on apps to allow Power Users to Run them as Adminstrators...
To do this just use My Computer Explore , C , Program Files and find the application they need to run.
Right Click on the EXE that runs the Application then Click on Properties tjhen the Security Tab,
Click on the Power Users Group and give it admin rights for that file....
ASKER
Too much work to change 700 PC's. I just want to block access to shutdown.exe
when they right click, it has the \%windir%\system32\ path.
Can I remove this directory from their path? How would I do this and how would it work?
when they right click, it has the \%windir%\system32\ path.
Can I remove this directory from their path? How would I do this and how would it work?
I wouldn't make shutdown.exe or any other program disallowed via group policy as you may want to run it.. the machines are logged in with particular accounts.. go into the c:\windows\ssytem32 find shutdown.exe and right click it properties and permissions and only allow accounts that need access to that program access to run it... or if you don't need that ability, delete it or move it into another directory that isn't in the search path. You could also change the permissions of their desktop to not allow them to create files there, that would stop them from creating shortcuts, but also not allow them to save any file there. (probably a good idea in a school)
ASKER
how do i disallow them to create shortcuts on the desktop?
If it's just the Shutdown .exe you are worried about do the same thing as the apps, only remove all groups from the Security tab excspt for the system, this will then only allow the system access to run the Shutdown.exe
do you want to the info on the disable software list or not?
ASKER
I want to do whatever will work. I just want to block students from having access to the shutdown.exe program. They are local admins, so I assume it would have to be through GP to make it happen. Students are on a different GP thatn my staff so I dont mind specifically blcoking an app to them through GP. What is the best way to make students not be able to create a shortcut on the desktop to this file and execute it.
Thanks!
Thanks!
Well here it is any way there is a user setting you can enable, and list the shutdown.exe application and any others. Create a security group or use an existing one and add this policy at what ever OU level then set the read and apply writes for the gourp and remove the default authenticated one. The only issue is you will also have to disable the command box.....
Major pain may be, the above setting stops the listed applications being run from windows explorer, so if the command box is not disabled they could still run the command form there.
Major pain may be, the above setting stops the listed applications being run from windows explorer, so if the command box is not disabled they could still run the command form there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
come on give me the points dsheltzel you know you want too!
Great thing about this command is you can still use the "runas /user:domain\account cmd" from the local PC to use the appliacions which are in the banned list.
You can create a software restriction policy which can stop short cuts being run from the desktop, but it doesnt stop them being created on the desktop.
What happens is the short cut is created and looks fine, but when they try to run it they get a message saying this has been disabled. The way this works is in the "User config\windows settings\software restrictions policies\Additional rules\" you need to add a rule type in the full path for the files which are to be disabled wild cards work i.e * or ?. Then in the Security level option select the Disallowed option.
So if your path had C:\Documents and Settings\*\Desktop then any short cut on a desktop or new onces created will not run. If you just want to restrict the one file then add that file name to the path. The reason I put a * in the path is due to the user name changing for each user who logs on. So again if this policy is set up as per above with a security group and permissions set for the group only, then only the user accounts in the group will be affected.
This does not stop new short cuts being created.... Only stops them running the short cuts from the desktop. The only way I have found to stop new short cuts being created is to change the permissions of the desktop to read and execute this allows the users to run the shortcut files but not add new ones. This can be done with a log script if running with local profiles, or running a script to change the file permissions on the home area, desktop folder assuming you have roaming profiles.
More info on mandatory user profile is have http://technet2.microsoft.com/windowsserver/en/library/3bd7900c-6145-461d-89f2-c12a8c6dd7301033.mspx?mfr=true
As for a scirpt this will be hunt in internet for some thing similar and then tweak it to suit. Hope this is not too much info and good luck
What happens is the short cut is created and looks fine, but when they try to run it they get a message saying this has been disabled. The way this works is in the "User config\windows settings\software restrictions policies\Additional rules\" you need to add a rule type in the full path for the files which are to be disabled wild cards work i.e * or ?. Then in the Security level option select the Disallowed option.
So if your path had C:\Documents and Settings\*\Desktop then any short cut on a desktop or new onces created will not run. If you just want to restrict the one file then add that file name to the path. The reason I put a * in the path is due to the user name changing for each user who logs on. So again if this policy is set up as per above with a security group and permissions set for the group only, then only the user accounts in the group will be affected.
This does not stop new short cuts being created.... Only stops them running the short cuts from the desktop. The only way I have found to stop new short cuts being created is to change the permissions of the desktop to read and execute this allows the users to run the shortcut files but not add new ones. This can be done with a log script if running with local profiles, or running a script to change the file permissions on the home area, desktop folder assuming you have roaming profiles.
More info on mandatory user profile is have http://technet2.microsoft.com/windowsserver/en/library/3bd7900c-6145-461d-89f2-c12a8c6dd7301033.mspx?mfr=true
As for a scirpt this will be hunt in internet for some thing similar and then tweak it to suit. Hope this is not too much info and good luck
ASKER
This worked and was what I was loooking for.
Thanks!
Thanks!