Solved

Looking for suggestions on how to prevent users from saving certain file types to local drive/desktop

Posted on 2012-04-06
5
603 Views
Last Modified: 2012-05-01
Hello,

I keep coming across a common problem in my organization.  I constantly am finding that several of my end-users will save business critical documents directly onto their hard disk as opposed to the network home directory that we provide for them.  It strikes fear into my heart every time I see it because I know that, if the HDD dies or is overwritten, there would be no way in which to retrieve anything that they tell us later on that they absolutely need and no longer have.  I figured that there would be some sort of easy way within Group Policy to prevent this, but I have been told that there is nothing as straightforward as I would like.  A cursory google search did not really give me any straightforward answers either, at least not so far as what I precisely want to do.  Therefore, I am opening the floor here to see if anyone has come up with a creative solution to this.

An additional wrinkle from the standpoint of my situation is this. . .there are some things that we do need for the local user to save/write locally from the standpoint of system files that are necessary for certain business applications to run.  Therefore, I cannot simply lock everything down en masse (such as simply enforcing mandatory profiles by changing <ntuser.dat> to <ntuser.man>).  I want to be able to granulate the restriction to things such as Word/Excel/Powerpoint/Access files as well as .PDF files

Thanks,
0
Comment
Question by:AfpSysGrp
  • 3
5 Comments
 
LVL 13

Assisted Solution

by:William Fulks
William Fulks earned 500 total points
ID: 37816546
You could hide their local hard drives from them. Here's a way to do it using group policy:

http://support.microsoft.com/kb/231289

I have had this same problem at a previous job and mainly it's a combination of training and stubbornness. You can train people on where to save and use all the scare tactics you want, but some people are just too stubborn not to keep saving locally. I've seen people lose a TON of work thanks to dead hard drives. Lesson learned!
0
 
LVL 10

Expert Comment

by:mark_harris231
ID: 37817301
What about setting up a logoff script to move or copy those files you're interested in preserving?  You could also schedule a task to run periodically throughout the day (maybe mid-morning, lunch and end-of-day).  Obviously, it isn't foolproof, but may help while you're trying to "turn the ship" on user habits.  I would further suggest that you include something in the filename or properties so that you know (and more importantly, can report on) who's following direction.
0
 

Author Comment

by:AfpSysGrp
ID: 37871481
Mark, thanks for the suggestion, but I am hoping rather to prevent this from happening at all as opposed to needing to clean it up after the fact.

Phungus, that GP setting (User Configuration\Administrative Templates\Windows Components\Windows Explorer\Hide these specified drives from My Computer) only partially worked.  It did hide the C: drive from the <My Computer> window that you get after hitting the <My Computer> icon on the desktop.  However, if you were to go to Windows Explorer you would still see the C: in the tree structure embedded underneath <My Computer>.  Take a look at the screenshot that I provided.  Maybe there is a way to keep them from getting to Windows Explorer at all?  That, along with the other GP setting, could possibly do it.
Hide-specified-drives-in-My-Comp.docx
0
 

Accepted Solution

by:
AfpSysGrp earned 0 total points
ID: 37898112
Simple solution. . .deny the <Write> permission to <C:\Documents and Settings\%username%\Desktop>.  This along with the previously mentioned GP setting is at least something.  I still don't like what I consider to be an incomplete solution with regards to the GP setting, but that is on Microsoft.

I have asked one of my system administrators to see of he can invoke a GPO that would automatically  set the Deny permission of all <Desktop> folders for any user profile that would pop up on a PC.
0
 

Author Closing Comment

by:AfpSysGrp
ID: 37913848
Additional independant research that was conducted along with the posing of the question.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now