Solved

Restricting the save option

Posted on 2013-01-17
2
325 Views
Last Modified: 2013-01-24
Dear Admins,

I need an group policy option so that any of the users do not save any thing on there system or on the desktop.  if they would try to save any thing they should get an alert/error message stating that you are not authorised to save it on this system.

regards,
venkat.
0
Comment
Question by:venkatspb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 19

Accepted Solution

by:
helpfinder earned 500 total points
ID: 38791941
Hi,
I am posting answer from MS technet:

To prevent Desktop saving you can do 1 of 2 things.

1> Enable Mandatory Profiles. This gives users access to save on the desktop for as long as they are logged in BUT when they logoff the entire profile is deleted including the desktop folder.

2> Enable Folder Redirection for the Desktop. This can be done with either Roaming Profiles or Local Profiles. If using Roaming Profiles redirect the users to their Profile Desktop location on the server. Eg. profiles are stored at \\server\profiles$\username  Redirect to \\server\profiles$\username\Desktop.  However, it would depend also if you are using mandatory profiles (where hundreds of users are using the same read-only profile) or just roaming profiles.

If you are running Windows 2003 R2 or later you have the File Server Resource Manager as a part of the OS. Usually it is installed separately though. I have it installed on my file servers.
http://technet.microsoft.com/en-us/library/cc754810.aspx

What this does is give you the abililty to prevet ANY saving on the server of the file types that you don't want. It works wonderfully and I love it.

Users can only save to their My Documents on my network. All other drives are Read-Only
.

source:
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab

And other handy post also from MS technet:

The easy way to prevent users to save data on desktop is set folder redirection policy, redirect users’ desktop to a network share where users don’t have write permission.

Create a network share on your server, but don’t grant write permission for domain users group.

Create a GPO and link it to a scope (site, domain or OU lever not a group) that contains your domain user account.

Configure the GPO-->User Configuration-->Windows Settings-->Folder redirection-->Desktop-->Desktop Properties-->Target tab-->Setting: Basic – Redirect everyone’s folder to the same location-->Root Path: input your network share

You can also prevent user to save data in desktop through modify user’s desktop folder ACL directly.

1. Copy and save below code to a .bat file

Echo Y| cacls %userprofile%\desktop /P %username%:R

2. Create a new GPO and link it to a scope (site, domain or OU level not a Group)
3. Set at User Configuration\Windows Settings\Script\Logon
4. Copy the .bat file to Logon folder (Logon script Properties-->Add-->Browse-->Logon folder)

For more information please refer to following MS articles:
Disable adding or removing items from desktop
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cebdf074-4cd8-4a5c-8a32-978b6747b6ff
Prevent user to save in desktop
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cab
Cacls: Displays and Modifies NTFS Access Control Lists
http://technet.microsoft.com/en-us/library/cc976803.aspx

source:
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d3b21ee2-fcf8-43d6-9700-2a5f3fb3d88d
0
 
LVL 3

Author Closing Comment

by:venkatspb
ID: 38817449
Thanks
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we want to have a look at the directory attributes which are used by Microsoft to store the so called Security Identifiers (SID). These SIDs plays an important role in delegating and granting permissions and in authentication of trus…
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question