We help IT Professionals succeed at work.

Stop users saving to the desktop

armatage asked
We have a large number of users that regularly save to the desktop and as we use roaming profiles this causes lots of problems. No matter how often they are told no to they still do.

Is there a way to stop users from saving documents/copying files to their desktop but still allow them to create shortcuts?


Watch Question

This powerpoint from Microsoft may answer your question here: support.microsoft.com/servicedesks/webcasts/wc011002/WC011002.ppt
Here is another link you may want to check out: http://articles.techrepublic.com.com/5100-24_11-5239498.html  Titled Lock down a desktop by setting up multiple mandatory profiles in a terminal server and MetaFrame environment
ROAMING profiles is not what you want.

Mandatory Profiles:

If you don't want your users to be able to save configuration changes to their NT environment, then use mandatory profiles.

On individual workstations you would rename the NTUSER.DAT file to NTUSER.MAN. This tells NT that no changes can be made to the profile. Users can still modify their NT environment while logged on, but they cannot save changes when they log off.

If you want a group of users, say the Accounting group, to use a mandatory profile, do this:

1. Create a user on a NT PC, log on as that user, and configure the NT PC the way you want it, log off.
2. Under your Profiles$ share on a NT server, create a profile directory for the group and give it a .man extension. For example, create an accounting.man directory. Give the Accounting group at least Read and Execute permissions to this directory.
3. Log back on to the PC as an Admin, and copy the configured profile to the accounting.man directory. For Permitted to use, assign the Accounting group.
4. Go to the accounting.man directory on the server and rename NTUSER.DAT to NTUSER.MAN.
5. Open User Manager for Domains, select the members of the Accounting group, click the User Menu, then Properties, then Profile, and in the User Profile Path enter the path to the accounting.man directory, \\server01\profiles$\accounting.man

Now, when anyone in the accounting group logs in to the domain, they will get this mandatory profile on their PCs.


- You have to manually create a Mandatory Profile directory on a server. Unlike non-mandatory roaming profiles, NT will not create a user directory for you.
- If a user tries logging on, and the Mandatory Profile is not available (the server that it is on is unavailable), then the user will not be able to log on to their PC.


Explore More ContentExplore courses, solutions, and other research materials related to this topic.