Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Group Policy and Restrict Users from Changing Desktop Icons.

Posted on 2007-11-19
8
Medium Priority
?
3,866 Views
Last Modified: 2008-02-01
I am currently using group policy to push out restrictions.  Is there any way to keep users from changing the desktop icons?  I want to do this without 3rd party software.  I also cannot make them part of the user group, because of programs they have to run.
0
Comment
Question by:Smithville
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Expert Comment

by:asawatzki
ID: 20315165
You could restrict user rights to Read and Execute in NTFS permissions for the following folders:

c:\documents and settings\%username%\Desktop
c:\documents and settings\All Users\Desktop
0
 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20315412
Have you tried to

GPO -> User Configuration -> Administrative Templates -> Desktop

Don't save settings at exit = Enabled

You also have more goodies there like  ...

Remove Properties from the My Documents context menu
Remove Properties from the My Computer context menu
Remove Properties from the Recycle Bin context menu
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
0
 

Author Comment

by:Smithville
ID: 20315940
These users are administrators.  They have to be administrators to run certain programs.  So I cant' restrict access through NTFS permissions.  The GPO -> User Configuration -> Administrative Templates -> Desktop does not keep them from changing desktop icons.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:DrTrollrot
ID: 20316132
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 20316180
I prefer not to mention this, as I just don't like them, but...    Mandatory Profiles, perhaps?
0
 
LVL 9

Expert Comment

by:asawatzki
ID: 20317124
Yes you could remove inherited permissions on the desktop folders, and then add back admininstrators as Read and Execute.  Then if you need for some accounts to have full control, you could add domain admins, or specific accounts back as well.  If you change it on the c:\documents and settings\Default user\desktop , then it should copy those permissions over to whoever else logs in.
0
 

Author Comment

by:Smithville
ID: 20319674
The icons they are editing, are the ones in All Users.  I don't care if the edit they ones in their own profile, because their profile is deleted on exit.  Asawatzki's idea of default user gives me an idea of making all icons on the desktop in default user.  That way once they log off, their profile is deleted, and their changes are moot.  Then when a new user logs on, the default user profile is used and the icons are still correct.  From all the ideas, I assume that their is no option of using Group Policy.  We have over 500 machines, and changing the default user, would mean imaging all of them.
0
 
LVL 9

Accepted Solution

by:
asawatzki earned 2000 total points
ID: 20319729
You could use Group Policy to deploy a script that would make the permissions changes.  You wouldn't need to image all of them.  Just use the xcacls utility from microsoft:  http://support.microsoft.com/kb/825751
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question