Solved

Disabling Shortcut creation on the desktop with Group Policy (Windows Server 2003)

Posted on 2006-11-28
4
835 Views
Last Modified: 2012-08-13
Our environment is pretty locked down and works great...

Is there a way to disable DESKTOP SHORTCUT CREATIONS?  We're not using profiles and don't plan to.

The only thing I could find was with regards to preventing the WMP from creating a desktop shortcut.


Thanks!
0
Comment
Question by:jgantes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 100 total points
ID: 18037373
This might work...

In a GPO configure this:

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop  - Enable
Prohibit changes - Enable

You can also play with the other settings like

Prohibit Adding items, etc
0
 

Author Comment

by:jgantes
ID: 18039030
We'd prefer not to have Active Desktop on.  And, unfortunately, they have to be able to add items to the desktop.

YOU can see that we're in quite the pickle :-)
0
 
LVL 26

Expert Comment

by:Pber
ID: 18039167
I think you are out of luck.  

Active Desktop is about the only way.  You can just "Prohibit Deleting items" and still allow users to Add items.

You could mess around with NTFS permissions on C:\Documents and Settings\someuser\Desktop, but I think that will just be opening up a can of worms.  It's always tough to allow adds and not deletes.
0
 

Author Comment

by:jgantes
ID: 18039303
Yea, that's what we're finding... This all came up because we wanted to make sure users couldn't make SHORTCUTS to executables on mapped drives.  We have some old accounting software that runs on a mapped drive and reauires read access.  However, if they run a shortcut with a switch IE, "Accounting.exe PsswdRst" they can reset passwords.  Horrible software if you ask me, but it's going to be a while before we move on from it.

Why do people reset passwords?  Because they make errors and want to fix them without a supervisor knowing.  IT doesn't happen much, but it's a big problem when it does.

So, with that said, you see my dilemma.  Of course, they need access to "Accounting.exe" because that runs their client app.

In all, it's not he creation of desktop items such as folders, etc., it's only the shortcuts.  (Of course we have cmd.exe disabled too)

0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question