Solved

Group Policy and Restrict Users from Changing Desktop Icons.

Posted on 2007-11-19
8
3,822 Views
Last Modified: 2008-02-01
I am currently using group policy to push out restrictions.  Is there any way to keep users from changing the desktop icons?  I want to do this without 3rd party software.  I also cannot make them part of the user group, because of programs they have to run.
0
Comment
Question by:Smithville
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Expert Comment

by:asawatzki
ID: 20315165
You could restrict user rights to Read and Execute in NTFS permissions for the following folders:

c:\documents and settings\%username%\Desktop
c:\documents and settings\All Users\Desktop
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20315412
Have you tried to

GPO -> User Configuration -> Administrative Templates -> Desktop

Don't save settings at exit = Enabled

You also have more goodies there like  ...

Remove Properties from the My Documents context menu
Remove Properties from the My Computer context menu
Remove Properties from the Recycle Bin context menu
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
0
 

Author Comment

by:Smithville
ID: 20315940
These users are administrators.  They have to be administrators to run certain programs.  So I cant' restrict access through NTFS permissions.  The GPO -> User Configuration -> Administrative Templates -> Desktop does not keep them from changing desktop icons.
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20316132
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 20316180
I prefer not to mention this, as I just don't like them, but...    Mandatory Profiles, perhaps?
0
 
LVL 9

Expert Comment

by:asawatzki
ID: 20317124
Yes you could remove inherited permissions on the desktop folders, and then add back admininstrators as Read and Execute.  Then if you need for some accounts to have full control, you could add domain admins, or specific accounts back as well.  If you change it on the c:\documents and settings\Default user\desktop , then it should copy those permissions over to whoever else logs in.
0
 

Author Comment

by:Smithville
ID: 20319674
The icons they are editing, are the ones in All Users.  I don't care if the edit they ones in their own profile, because their profile is deleted on exit.  Asawatzki's idea of default user gives me an idea of making all icons on the desktop in default user.  That way once they log off, their profile is deleted, and their changes are moot.  Then when a new user logs on, the default user profile is used and the icons are still correct.  From all the ideas, I assume that their is no option of using Group Policy.  We have over 500 machines, and changing the default user, would mean imaging all of them.
0
 
LVL 9

Accepted Solution

by:
asawatzki earned 500 total points
ID: 20319729
You could use Group Policy to deploy a script that would make the permissions changes.  You wouldn't need to image all of them.  Just use the xcacls utility from microsoft:  http://support.microsoft.com/kb/825751
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now