?
Solved

Disabling Shortcut creation on the desktop with Group Policy (Windows Server 2003)

Posted on 2006-11-28
4
Medium Priority
?
839 Views
Last Modified: 2012-08-13
Our environment is pretty locked down and works great...

Is there a way to disable DESKTOP SHORTCUT CREATIONS?  We're not using profiles and don't plan to.

The only thing I could find was with regards to preventing the WMP from creating a desktop shortcut.


Thanks!
0
Comment
Question by:jgantes
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 400 total points
ID: 18037373
This might work...

In a GPO configure this:

User Configuration\Administrative Templates\Desktop\Active Desktop

Enable Active Desktop  - Enable
Prohibit changes - Enable

You can also play with the other settings like

Prohibit Adding items, etc
0
 

Author Comment

by:jgantes
ID: 18039030
We'd prefer not to have Active Desktop on.  And, unfortunately, they have to be able to add items to the desktop.

YOU can see that we're in quite the pickle :-)
0
 
LVL 26

Expert Comment

by:Pber
ID: 18039167
I think you are out of luck.  

Active Desktop is about the only way.  You can just "Prohibit Deleting items" and still allow users to Add items.

You could mess around with NTFS permissions on C:\Documents and Settings\someuser\Desktop, but I think that will just be opening up a can of worms.  It's always tough to allow adds and not deletes.
0
 

Author Comment

by:jgantes
ID: 18039303
Yea, that's what we're finding... This all came up because we wanted to make sure users couldn't make SHORTCUTS to executables on mapped drives.  We have some old accounting software that runs on a mapped drive and reauires read access.  However, if they run a shortcut with a switch IE, "Accounting.exe PsswdRst" they can reset passwords.  Horrible software if you ask me, but it's going to be a while before we move on from it.

Why do people reset passwords?  Because they make errors and want to fix them without a supervisor knowing.  IT doesn't happen much, but it's a big problem when it does.

So, with that said, you see my dilemma.  Of course, they need access to "Accounting.exe" because that runs their client app.

In all, it's not he creation of desktop items such as folders, etc., it's only the shortcuts.  (Of course we have cmd.exe disabled too)

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question