?
Solved

Looking for suggestions on how to prevent users from saving certain file types to local drive/desktop

Posted on 2012-04-06
5
Medium Priority
?
614 Views
Last Modified: 2012-05-01
Hello,

I keep coming across a common problem in my organization.  I constantly am finding that several of my end-users will save business critical documents directly onto their hard disk as opposed to the network home directory that we provide for them.  It strikes fear into my heart every time I see it because I know that, if the HDD dies or is overwritten, there would be no way in which to retrieve anything that they tell us later on that they absolutely need and no longer have.  I figured that there would be some sort of easy way within Group Policy to prevent this, but I have been told that there is nothing as straightforward as I would like.  A cursory google search did not really give me any straightforward answers either, at least not so far as what I precisely want to do.  Therefore, I am opening the floor here to see if anyone has come up with a creative solution to this.

An additional wrinkle from the standpoint of my situation is this. . .there are some things that we do need for the local user to save/write locally from the standpoint of system files that are necessary for certain business applications to run.  Therefore, I cannot simply lock everything down en masse (such as simply enforcing mandatory profiles by changing <ntuser.dat> to <ntuser.man>).  I want to be able to granulate the restriction to things such as Word/Excel/Powerpoint/Access files as well as .PDF files

Thanks,
0
Comment
Question by:AfpSysGrp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 15

Assisted Solution

by:William Fulks
William Fulks earned 1500 total points
ID: 37816546
You could hide their local hard drives from them. Here's a way to do it using group policy:

http://support.microsoft.com/kb/231289

I have had this same problem at a previous job and mainly it's a combination of training and stubbornness. You can train people on where to save and use all the scare tactics you want, but some people are just too stubborn not to keep saving locally. I've seen people lose a TON of work thanks to dead hard drives. Lesson learned!
0
 
LVL 10

Expert Comment

by:mark_harris231
ID: 37817301
What about setting up a logoff script to move or copy those files you're interested in preserving?  You could also schedule a task to run periodically throughout the day (maybe mid-morning, lunch and end-of-day).  Obviously, it isn't foolproof, but may help while you're trying to "turn the ship" on user habits.  I would further suggest that you include something in the filename or properties so that you know (and more importantly, can report on) who's following direction.
0
 

Author Comment

by:AfpSysGrp
ID: 37871481
Mark, thanks for the suggestion, but I am hoping rather to prevent this from happening at all as opposed to needing to clean it up after the fact.

Phungus, that GP setting (User Configuration\Administrative Templates\Windows Components\Windows Explorer\Hide these specified drives from My Computer) only partially worked.  It did hide the C: drive from the <My Computer> window that you get after hitting the <My Computer> icon on the desktop.  However, if you were to go to Windows Explorer you would still see the C: in the tree structure embedded underneath <My Computer>.  Take a look at the screenshot that I provided.  Maybe there is a way to keep them from getting to Windows Explorer at all?  That, along with the other GP setting, could possibly do it.
Hide-specified-drives-in-My-Comp.docx
0
 

Accepted Solution

by:
AfpSysGrp earned 0 total points
ID: 37898112
Simple solution. . .deny the <Write> permission to <C:\Documents and Settings\%username%\Desktop>.  This along with the previously mentioned GP setting is at least something.  I still don't like what I consider to be an incomplete solution with regards to the GP setting, but that is on Microsoft.

I have asked one of my system administrators to see of he can invoke a GPO that would automatically  set the Deny permission of all <Desktop> folders for any user profile that would pop up on a PC.
0
 

Author Closing Comment

by:AfpSysGrp
ID: 37913848
Additional independant research that was conducted along with the posing of the question.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question