Looking for suggestions on how to prevent users from saving certain file types to local drive/desktop

Hello,

I keep coming across a common problem in my organization.  I constantly am finding that several of my end-users will save business critical documents directly onto their hard disk as opposed to the network home directory that we provide for them.  It strikes fear into my heart every time I see it because I know that, if the HDD dies or is overwritten, there would be no way in which to retrieve anything that they tell us later on that they absolutely need and no longer have.  I figured that there would be some sort of easy way within Group Policy to prevent this, but I have been told that there is nothing as straightforward as I would like.  A cursory google search did not really give me any straightforward answers either, at least not so far as what I precisely want to do.  Therefore, I am opening the floor here to see if anyone has come up with a creative solution to this.

An additional wrinkle from the standpoint of my situation is this. . .there are some things that we do need for the local user to save/write locally from the standpoint of system files that are necessary for certain business applications to run.  Therefore, I cannot simply lock everything down en masse (such as simply enforcing mandatory profiles by changing <ntuser.dat> to <ntuser.man>).  I want to be able to granulate the restriction to things such as Word/Excel/Powerpoint/Access files as well as .PDF files

Thanks,
AfpSysGrpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
You could hide their local hard drives from them. Here's a way to do it using group policy:

http://support.microsoft.com/kb/231289

I have had this same problem at a previous job and mainly it's a combination of training and stubbornness. You can train people on where to save and use all the scare tactics you want, but some people are just too stubborn not to keep saving locally. I've seen people lose a TON of work thanks to dead hard drives. Lesson learned!
0
mark_harris231Commented:
What about setting up a logoff script to move or copy those files you're interested in preserving?  You could also schedule a task to run periodically throughout the day (maybe mid-morning, lunch and end-of-day).  Obviously, it isn't foolproof, but may help while you're trying to "turn the ship" on user habits.  I would further suggest that you include something in the filename or properties so that you know (and more importantly, can report on) who's following direction.
0
AfpSysGrpAuthor Commented:
Mark, thanks for the suggestion, but I am hoping rather to prevent this from happening at all as opposed to needing to clean it up after the fact.

Phungus, that GP setting (User Configuration\Administrative Templates\Windows Components\Windows Explorer\Hide these specified drives from My Computer) only partially worked.  It did hide the C: drive from the <My Computer> window that you get after hitting the <My Computer> icon on the desktop.  However, if you were to go to Windows Explorer you would still see the C: in the tree structure embedded underneath <My Computer>.  Take a look at the screenshot that I provided.  Maybe there is a way to keep them from getting to Windows Explorer at all?  That, along with the other GP setting, could possibly do it.
Hide-specified-drives-in-My-Comp.docx
0
AfpSysGrpAuthor Commented:
Simple solution. . .deny the <Write> permission to <C:\Documents and Settings\%username%\Desktop>.  This along with the previously mentioned GP setting is at least something.  I still don't like what I consider to be an incomplete solution with regards to the GP setting, but that is on Microsoft.

I have asked one of my system administrators to see of he can invoke a GPO that would automatically  set the Deny permission of all <Desktop> folders for any user profile that would pop up on a PC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AfpSysGrpAuthor Commented:
Additional independant research that was conducted along with the posing of the question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.