Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Restricting the save option

Dear Admins,

I need an group policy option so that any of the users do not save any thing on there system or on the desktop.  if they would try to save any thing they should get an alert/error message stating that you are not authorised to save it on this system.

regards,
venkat.
0
venkatspb
Asked:
venkatspb
1 Solution
 
helpfinderIT ConsultantCommented:
Hi,
I am posting answer from MS technet:

To prevent Desktop saving you can do 1 of 2 things.

1> Enable Mandatory Profiles. This gives users access to save on the desktop for as long as they are logged in BUT when they logoff the entire profile is deleted including the desktop folder.

2> Enable Folder Redirection for the Desktop. This can be done with either Roaming Profiles or Local Profiles. If using Roaming Profiles redirect the users to their Profile Desktop location on the server. Eg. profiles are stored at \\server\profiles$\username  Redirect to \\server\profiles$\username\Desktop.  However, it would depend also if you are using mandatory profiles (where hundreds of users are using the same read-only profile) or just roaming profiles.

If you are running Windows 2003 R2 or later you have the File Server Resource Manager as a part of the OS. Usually it is installed separately though. I have it installed on my file servers.
http://technet.microsoft.com/en-us/library/cc754810.aspx

What this does is give you the abililty to prevet ANY saving on the server of the file types that you don't want. It works wonderfully and I love it.

Users can only save to their My Documents on my network. All other drives are Read-Only
.

source:
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab

And other handy post also from MS technet:

The easy way to prevent users to save data on desktop is set folder redirection policy, redirect users’ desktop to a network share where users don’t have write permission.

Create a network share on your server, but don’t grant write permission for domain users group.

Create a GPO and link it to a scope (site, domain or OU lever not a group) that contains your domain user account.

Configure the GPO-->User Configuration-->Windows Settings-->Folder redirection-->Desktop-->Desktop Properties-->Target tab-->Setting: Basic – Redirect everyone’s folder to the same location-->Root Path: input your network share

You can also prevent user to save data in desktop through modify user’s desktop folder ACL directly.

1. Copy and save below code to a .bat file

Echo Y| cacls %userprofile%\desktop /P %username%:R

2. Create a new GPO and link it to a scope (site, domain or OU level not a Group)
3. Set at User Configuration\Windows Settings\Script\Logon
4. Copy the .bat file to Logon folder (Logon script Properties-->Add-->Browse-->Logon folder)

For more information please refer to following MS articles:
Disable adding or removing items from desktop
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cebdf074-4cd8-4a5c-8a32-978b6747b6ff
Prevent user to save in desktop
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab
Cacls: Displays and Modifies NTFS Access Control Lists
http://technet.microsoft.com/en-us/library/cc976803.aspx

source:
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d3b21ee2-fcf8-43d6-9700-2a5f3fb3d88d
0
 
venkatspbSenior Software EngineerAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now