Solved

Group Policy and Restrict Users from Changing Desktop Icons.

Posted on 2007-11-19
8
3,811 Views
Last Modified: 2008-02-01
I am currently using group policy to push out restrictions.  Is there any way to keep users from changing the desktop icons?  I want to do this without 3rd party software.  I also cannot make them part of the user group, because of programs they have to run.
0
Comment
Question by:Smithville
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Expert Comment

by:asawatzki
ID: 20315165
You could restrict user rights to Read and Execute in NTFS permissions for the following folders:

c:\documents and settings\%username%\Desktop
c:\documents and settings\All Users\Desktop
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20315412
Have you tried to

GPO -> User Configuration -> Administrative Templates -> Desktop

Don't save settings at exit = Enabled

You also have more goodies there like  ...

Remove Properties from the My Documents context menu
Remove Properties from the My Computer context menu
Remove Properties from the Recycle Bin context menu
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
0
 

Author Comment

by:Smithville
ID: 20315940
These users are administrators.  They have to be administrators to run certain programs.  So I cant' restrict access through NTFS permissions.  The GPO -> User Configuration -> Administrative Templates -> Desktop does not keep them from changing desktop icons.
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20316132
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 20316180
I prefer not to mention this, as I just don't like them, but...    Mandatory Profiles, perhaps?
0
 
LVL 9

Expert Comment

by:asawatzki
ID: 20317124
Yes you could remove inherited permissions on the desktop folders, and then add back admininstrators as Read and Execute.  Then if you need for some accounts to have full control, you could add domain admins, or specific accounts back as well.  If you change it on the c:\documents and settings\Default user\desktop , then it should copy those permissions over to whoever else logs in.
0
 

Author Comment

by:Smithville
ID: 20319674
The icons they are editing, are the ones in All Users.  I don't care if the edit they ones in their own profile, because their profile is deleted on exit.  Asawatzki's idea of default user gives me an idea of making all icons on the desktop in default user.  That way once they log off, their profile is deleted, and their changes are moot.  Then when a new user logs on, the default user profile is used and the icons are still correct.  From all the ideas, I assume that their is no option of using Group Policy.  We have over 500 machines, and changing the default user, would mean imaging all of them.
0
 
LVL 9

Accepted Solution

by:
asawatzki earned 500 total points
ID: 20319729
You could use Group Policy to deploy a script that would make the permissions changes.  You wouldn't need to image all of them.  Just use the xcacls utility from microsoft:  http://support.microsoft.com/kb/825751
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now