Solved

Disabling Shortcut creation on the desktop with Group Policy (Windows Server 2003)

Posted on 2006-11-28
4
831 Views
Last Modified: 2012-08-13
Our environment is pretty locked down and works great...

Is there a way to disable DESKTOP SHORTCUT CREATIONS?  We're not using profiles and don't plan to.

The only thing I could find was with regards to preventing the WMP from creating a desktop shortcut.


Thanks!
0
Comment
Question by:jgantes
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 100 total points
ID: 18037373
This might work...

In a GPO configure this:

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop  - Enable
Prohibit changes - Enable

You can also play with the other settings like

Prohibit Adding items, etc
0
 

Author Comment

by:jgantes
ID: 18039030
We'd prefer not to have Active Desktop on.  And, unfortunately, they have to be able to add items to the desktop.

YOU can see that we're in quite the pickle :-)
0
 
LVL 26

Expert Comment

by:Pber
ID: 18039167
I think you are out of luck.  

Active Desktop is about the only way.  You can just "Prohibit Deleting items" and still allow users to Add items.

You could mess around with NTFS permissions on C:\Documents and Settings\someuser\Desktop, but I think that will just be opening up a can of worms.  It's always tough to allow adds and not deletes.
0
 

Author Comment

by:jgantes
ID: 18039303
Yea, that's what we're finding... This all came up because we wanted to make sure users couldn't make SHORTCUTS to executables on mapped drives.  We have some old accounting software that runs on a mapped drive and reauires read access.  However, if they run a shortcut with a switch IE, "Accounting.exe PsswdRst" they can reset passwords.  Horrible software if you ask me, but it's going to be a while before we move on from it.

Why do people reset passwords?  Because they make errors and want to fix them without a supervisor knowing.  IT doesn't happen much, but it's a big problem when it does.

So, with that said, you see my dilemma.  Of course, they need access to "Accounting.exe" because that runs their client app.

In all, it's not he creation of desktop items such as folders, etc., it's only the shortcuts.  (Of course we have cmd.exe disabled too)

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question