?
Solved

Group Policy and Restrict Users from Changing Desktop Icons.

Posted on 2007-11-19
8
Medium Priority
?
3,856 Views
Last Modified: 2008-02-01
I am currently using group policy to push out restrictions.  Is there any way to keep users from changing the desktop icons?  I want to do this without 3rd party software.  I also cannot make them part of the user group, because of programs they have to run.
0
Comment
Question by:Smithville
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Expert Comment

by:asawatzki
ID: 20315165
You could restrict user rights to Read and Execute in NTFS permissions for the following folders:

c:\documents and settings\%username%\Desktop
c:\documents and settings\All Users\Desktop
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20315412
Have you tried to

GPO -> User Configuration -> Administrative Templates -> Desktop

Don't save settings at exit = Enabled

You also have more goodies there like  ...

Remove Properties from the My Documents context menu
Remove Properties from the My Computer context menu
Remove Properties from the Recycle Bin context menu
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
0
 

Author Comment

by:Smithville
ID: 20315940
These users are administrators.  They have to be administrators to run certain programs.  So I cant' restrict access through NTFS permissions.  The GPO -> User Configuration -> Administrative Templates -> Desktop does not keep them from changing desktop icons.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20316132
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 20316180
I prefer not to mention this, as I just don't like them, but...    Mandatory Profiles, perhaps?
0
 
LVL 9

Expert Comment

by:asawatzki
ID: 20317124
Yes you could remove inherited permissions on the desktop folders, and then add back admininstrators as Read and Execute.  Then if you need for some accounts to have full control, you could add domain admins, or specific accounts back as well.  If you change it on the c:\documents and settings\Default user\desktop , then it should copy those permissions over to whoever else logs in.
0
 

Author Comment

by:Smithville
ID: 20319674
The icons they are editing, are the ones in All Users.  I don't care if the edit they ones in their own profile, because their profile is deleted on exit.  Asawatzki's idea of default user gives me an idea of making all icons on the desktop in default user.  That way once they log off, their profile is deleted, and their changes are moot.  Then when a new user logs on, the default user profile is used and the icons are still correct.  From all the ideas, I assume that their is no option of using Group Policy.  We have over 500 machines, and changing the default user, would mean imaging all of them.
0
 
LVL 9

Accepted Solution

by:
asawatzki earned 2000 total points
ID: 20319729
You could use Group Policy to deploy a script that would make the permissions changes.  You wouldn't need to image all of them.  Just use the xcacls utility from microsoft:  http://support.microsoft.com/kb/825751
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question