Solved

Restricting the save option

Posted on 2013-01-17
2
319 Views
Last Modified: 2013-01-24
Dear Admins,

I need an group policy option so that any of the users do not save any thing on there system or on the desktop.  if they would try to save any thing they should get an alert/error message stating that you are not authorised to save it on this system.

regards,
venkat.
0
Comment
Question by:venkatspb
2 Comments
 
LVL 19

Accepted Solution

by:
helpfinder earned 500 total points
ID: 38791941
Hi,
I am posting answer from MS technet:

To prevent Desktop saving you can do 1 of 2 things.

1> Enable Mandatory Profiles. This gives users access to save on the desktop for as long as they are logged in BUT when they logoff the entire profile is deleted including the desktop folder.

2> Enable Folder Redirection for the Desktop. This can be done with either Roaming Profiles or Local Profiles. If using Roaming Profiles redirect the users to their Profile Desktop location on the server. Eg. profiles are stored at \\server\profiles$\username  Redirect to \\server\profiles$\username\Desktop.  However, it would depend also if you are using mandatory profiles (where hundreds of users are using the same read-only profile) or just roaming profiles.

If you are running Windows 2003 R2 or later you have the File Server Resource Manager as a part of the OS. Usually it is installed separately though. I have it installed on my file servers.
http://technet.microsoft.com/en-us/library/cc754810.aspx

What this does is give you the abililty to prevet ANY saving on the server of the file types that you don't want. It works wonderfully and I love it.

Users can only save to their My Documents on my network. All other drives are Read-Only
.

source:
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab

And other handy post also from MS technet:

The easy way to prevent users to save data on desktop is set folder redirection policy, redirect users’ desktop to a network share where users don’t have write permission.

Create a network share on your server, but don’t grant write permission for domain users group.

Create a GPO and link it to a scope (site, domain or OU lever not a group) that contains your domain user account.

Configure the GPO-->User Configuration-->Windows Settings-->Folder redirection-->Desktop-->Desktop Properties-->Target tab-->Setting: Basic – Redirect everyone’s folder to the same location-->Root Path: input your network share

You can also prevent user to save data in desktop through modify user’s desktop folder ACL directly.

1. Copy and save below code to a .bat file

Echo Y| cacls %userprofile%\desktop /P %username%:R

2. Create a new GPO and link it to a scope (site, domain or OU level not a Group)
3. Set at User Configuration\Windows Settings\Script\Logon
4. Copy the .bat file to Logon folder (Logon script Properties-->Add-->Browse-->Logon folder)

For more information please refer to following MS articles:
Disable adding or removing items from desktop
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cebdf074-4cd8-4a5c-8a32-978b6747b6ff
Prevent user to save in desktop
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab
Cacls: Displays and Modifies NTFS Access Control Lists
http://technet.microsoft.com/en-us/library/cc976803.aspx

source:
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d3b21ee2-fcf8-43d6-9700-2a5f3fb3d88d
0
 
LVL 3

Author Closing Comment

by:venkatspb
ID: 38817449
Thanks
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
This article is the result of a quest to better understand Task Scheduler 2.0 and all the newer objects available in vbscript in this version over  the limited options we had scripting in Task Scheduler 1.0.  As I started my journey of knowledge I f…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question