Link to home
Start Free TrialLog in
Avatar of gtrivedi
gtrivedi

asked on

GPO Question: How to Restrict saving on desktop

Scenario:

Windows 2003 Active Directory
Win XP SP2 Workstations.

I'm writing a GPO through which I want to remove the ability for domains users to save on desktop.I have found the following setting which removes Desktop from save as dialoge box.
User Settings>Adm templates>Windows Components>Windows Explorer>Common Open File Dialogue

Now I actually need a way to prohibit users from creating/saving files on desktop. This means that:
1) Users cannot right click and create new file/folder
2) Users cannot save outlook attachments on Desktop (they can save it on their H drive)
3) They cannot move(drag and Drop) files like excel/word etc from my documents to desktop.

basically if the user tries to do any of the above, user should get an error.

I read some articles on how to do this and one thing I want to say clearly is that , we donot want to use Folder Redirection to a Share and then remove write permission. Its a good solution but doesn't fit in our infrastructure because of large number of remote offices and bandwidth problem with the hub.

Ideally I would like to run a user logon script which removes permissions from "%userProfile%\Desktop" folder. but I can't get it to work with user rights. Any suggestions please ? I'm open to using Vbscript and/or command line tools like Xcacls. Basically I want this script to not run in user context but in computer context but as a user Logon script and not a startup script.

Thanks and regards
G
ASKER CERTIFIED SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gtrivedi
gtrivedi

ASKER

Hi  used the /D (deny permission) and it seems to be working but when I go via windows explorer, I see that the user can change permissions again.

Administrators:F
User(logged on user): /D (denied permissions)
System: F

What can do to reove the ability for users to see the security Tab when they see the properties of
%Userprofile%\Desktop ?