Solved

Disabling Shortcut creation on the desktop with Group Policy (Windows Server 2003)

Posted on 2006-11-28
4
834 Views
Last Modified: 2012-08-13
Our environment is pretty locked down and works great...

Is there a way to disable DESKTOP SHORTCUT CREATIONS?  We're not using profiles and don't plan to.

The only thing I could find was with regards to preventing the WMP from creating a desktop shortcut.


Thanks!
0
Comment
Question by:jgantes
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 100 total points
ID: 18037373
This might work...

In a GPO configure this:

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop  - Enable
Prohibit changes - Enable

You can also play with the other settings like

Prohibit Adding items, etc
0
 

Author Comment

by:jgantes
ID: 18039030
We'd prefer not to have Active Desktop on.  And, unfortunately, they have to be able to add items to the desktop.

YOU can see that we're in quite the pickle :-)
0
 
LVL 26

Expert Comment

by:Pber
ID: 18039167
I think you are out of luck.  

Active Desktop is about the only way.  You can just "Prohibit Deleting items" and still allow users to Add items.

You could mess around with NTFS permissions on C:\Documents and Settings\someuser\Desktop, but I think that will just be opening up a can of worms.  It's always tough to allow adds and not deletes.
0
 

Author Comment

by:jgantes
ID: 18039303
Yea, that's what we're finding... This all came up because we wanted to make sure users couldn't make SHORTCUTS to executables on mapped drives.  We have some old accounting software that runs on a mapped drive and reauires read access.  However, if they run a shortcut with a switch IE, "Accounting.exe PsswdRst" they can reset passwords.  Horrible software if you ask me, but it's going to be a while before we move on from it.

Why do people reset passwords?  Because they make errors and want to fix them without a supervisor knowing.  IT doesn't happen much, but it's a big problem when it does.

So, with that said, you see my dilemma.  Of course, they need access to "Accounting.exe" because that runs their client app.

In all, it's not he creation of desktop items such as folders, etc., it's only the shortcuts.  (Of course we have cmd.exe disabled too)

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question