disable creating shortcuts

Posted on 2008-11-17
Last Modified: 2012-06-22
We have stopped students creating shortcuts on the desktop using group policy. If they go into their home directory and go to file -new -shortcut and typing in the dialog box \\filesvr, they can create a shortcut and look at other students work. They cannot delete the other students work but can create new documents in the other students directories. Is there any GPO toStop a user creating a shortcut in their home directory
Question by:rosr
    LVL 18

    Expert Comment

    Uhh, if they can create or view files in other users directories, it's not a GPO to stop shortcuts you need..  What you need is to fix your permissions..
    LVL 4

    Assisted Solution

    LVL 1

    Accepted Solution

    You can use software restriction policies (SRP) to ensure that .lnk files (shortcuts) cannot be created.  First you need to set .lnk as the only designated file type in the SRP:
    1. Open the group policy management console
    2. Open Software Restriction Policies.
    3. In the details pane, double-click Designated File Types.
    4. Add in .lnk files and remove all others

    Then you need to create a new path rule and set it to Disallowed.  Use the path of the home directory and apply the policy to the correct OU, refresh the policy (gpupdate /force) on the client or wait for auto refresh.

    This KB article will help you here:
    LVL 18

    Assisted Solution

    That's all well and good, but that's not going to stop the root cause of the problem.  A user could just as easily open Notepad or Word or any other app and simply type in the shortcut to the other user's directory (they obviously know them or have figured them out).

    The only way to prevent this behavior is to fix the permissions problems that obviously exist.

    LVL 21

    Assisted Solution

    This seems to be a hard thing to and see if this helps...
    LVL 1

    Expert Comment

    You're quite right but the question was how do you stop users creating shortcuts in their home folder.  

    Author Closing Comment

    removed all domain users from the share permission

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now