Solved

Disabling Shortcut creation on the desktop with Group Policy (Windows Server 2003)

Posted on 2006-11-28
4
828 Views
Last Modified: 2012-08-13
Our environment is pretty locked down and works great...

Is there a way to disable DESKTOP SHORTCUT CREATIONS?  We're not using profiles and don't plan to.

The only thing I could find was with regards to preventing the WMP from creating a desktop shortcut.


Thanks!
0
Comment
Question by:jgantes
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 100 total points
Comment Utility
This might work...

In a GPO configure this:

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop  - Enable
Prohibit changes - Enable

You can also play with the other settings like

Prohibit Adding items, etc
0
 

Author Comment

by:jgantes
Comment Utility
We'd prefer not to have Active Desktop on.  And, unfortunately, they have to be able to add items to the desktop.

YOU can see that we're in quite the pickle :-)
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
I think you are out of luck.  

Active Desktop is about the only way.  You can just "Prohibit Deleting items" and still allow users to Add items.

You could mess around with NTFS permissions on C:\Documents and Settings\someuser\Desktop, but I think that will just be opening up a can of worms.  It's always tough to allow adds and not deletes.
0
 

Author Comment

by:jgantes
Comment Utility
Yea, that's what we're finding... This all came up because we wanted to make sure users couldn't make SHORTCUTS to executables on mapped drives.  We have some old accounting software that runs on a mapped drive and reauires read access.  However, if they run a shortcut with a switch IE, "Accounting.exe PsswdRst" they can reset passwords.  Horrible software if you ask me, but it's going to be a while before we move on from it.

Why do people reset passwords?  Because they make errors and want to fix them without a supervisor knowing.  IT doesn't happen much, but it's a big problem when it does.

So, with that said, you see my dilemma.  Of course, they need access to "Accounting.exe" because that runs their client app.

In all, it's not he creation of desktop items such as folders, etc., it's only the shortcuts.  (Of course we have cmd.exe disabled too)

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now