Top Doc
asked on
How to prevent users from saving to Desktop
I have over 1500 PCs, a mixture of WIn 7 and 10.
Using Server 2012 R2
Looking for a way how I can prevent users from being able to save to their desktops.
I have done the below already -
User Configuration \ Policies \ Administrative Templates \ Windows Components \ File Explorer
"Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
but I find that users are still able to save or right click on the desktop and select new
Using Server 2012 R2
Looking for a way how I can prevent users from being able to save to their desktops.
I have done the below already -
User Configuration \ Policies \ Administrative Templates \ Windows Components \ File Explorer
"Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
but I find that users are still able to save or right click on the desktop and select new
Computer Configuration > Policy > Windows Settings > Security Settings > File System
Right click, Add %userprofile%\Desktop
Set appropriate permissions for the desktop folder.
Right click, Add %userprofile%\Desktop
Set appropriate permissions for the desktop folder.
ASKER
@Bradley -
I tried the suggested, but it didn't work
I set the permission, linked it to the computer OU, and rebooted.
is there anything special that I would need to specify in scope and or delegation?
I tried the suggested, but it didn't work
I set the permission, linked it to the computer OU, and rebooted.
is there anything special that I would need to specify in scope and or delegation?
I don't think it works because a Computer Configuration gpo. Instead, it needs to be set under User Configuration. But, there is no matching User gpo.
One way around it is to use Folder Redirection to redirect desktop folder to network share this will create \\server\share\desktop\use
One way around it is to use Folder Redirection to redirect desktop folder to network share this will create \\server\share\desktop\use
ASKER
@NVIT,
Yes, I know of the folder redirection, but I was trying to avoid that route.
Yes, I know of the folder redirection, but I was trying to avoid that route.
You will have to use a deny permission of write for an AD group you create that contains the users that you do not want to save to the desktop. I wouldn't modify the "users" group permissions, especially not with a deny permission as that will override Admin's abilities to write to the desktop as well.
Once you create this GPO, link it to an OU containing the computers you want it to apply to. Reboot the computers then check the permissions on the desktop folder to make sure it was applied. If the permissions don't look right then run a gpresult /r as a administrator on the target systems to ensure the GPO was applied.
Once you create this GPO, link it to an OU containing the computers you want it to apply to. Reboot the computers then check the permissions on the desktop folder to make sure it was applied. If the permissions don't look right then run a gpresult /r as a administrator on the target systems to ensure the GPO was applied.
This works...
Make a group policy preference under User Config > Preferences > Control Panel Settings > Scheduled tasks.
Make a task that runs a bat/cmd file.
Action: Replace
Run task as the domain admin and enter the password.
Schedule it to run at logon.
Item-level targeting:
- Operating System: Windows 7
- Security group: NOT Domain admins
Optional: Stop the task if it runs for 10 mins.
In the bat/cmd file, add code.
- Change references to COMPANY to your actual domain
Make a group policy preference under User Config > Preferences > Control Panel Settings > Scheduled tasks.
Make a task that runs a bat/cmd file.
Action: Replace
Run task as the domain admin and enter the password.
Schedule it to run at logon.
Item-level targeting:
- Operating System: Windows 7
- Security group: NOT Domain admins
Optional: Stop the task if it runs for 10 mins.
In the bat/cmd file, add code.
- Change references to COMPANY to your actual domain
@echo off
setlocal enabledelayedexpansion
for /f "tokens=3" %%a in ('reg query "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /v LastLoggedOnUser') do (
echo %computername% %date% %time% %%a>"%temp%\LastLoggedOn.txt"
)
for /f "tokens=2 delims=\" %%i in ('type "%temp%\LastLoggedOn.txt"') do set xUsrLastLogged=%%i
REM Depending on current ACL complexity, you may need to use Reset, and Inheritance switches
REM icacls c:\users\%xUsrLastLogged%\desktop /reset
REM icacls c:\users\%xUsrLastLogged%\desktop /inheritance:d
icacls c:\users\%xUsrLastLogged%\desktop /t /remove:g "COMPANY\%xUsrLastLogged%"
icacls c:\users\%xUsrLastLogged%\desktop /t /remove:d "COMPANY\%xUsrLastLogged%"
icacls c:\users\%xUsrLastLogged%\desktop /t /grant "COMPANY\%xUsrLastLogged%":(OI)(CI)RX
This should not be done as a user config task. This is a policy you want to apply to the machine to prevent users from saving to a specific folder so your settings should be under Computer Config and the GPO should be linked to the Computer's OU.
Bradley...
The solution I presented works.
The question asked to:
..prevent users from being able to save to their desktops
How does your solution do that? Please include the exact steps.
The solution I presented works.
The question asked to:
..prevent users from being able to save to their desktops
How does your solution do that? Please include the exact steps.
ASKER
@ NVIT and @ Bradley Fox
I have tried it both as a computer and user policy, neither of which worked.
Running the script directly, i get the below output.
Capture.PNG
I have tried it both as a computer and user policy, neither of which worked.
Running the script directly, i get the below output.
Capture.PNG
You need to change COMPANY to your actual domain
I revised the code post, adding: Depending on current ACL complexity, you may need to use Reset, and Inheritance switches. If you want to try it, remove the REM prefixes
I revised the code post, adding: Depending on current ACL complexity, you may need to use Reset, and Inheritance switches. If you want to try it, remove the REM prefixes
ASKER
@NVIT
The script runs and works when i test itself.
The Task is created in the task scheduler
The task is run at log on
Task Scheduler successfully finished "{bfde4bbd-9fe8-4120-a855-
Scheduled Task was only created when done as a computer policy
However, even after the task has been run, nothing happens.
Group Policy Shows that the policy was applied
Task Schedule shows it was successfully run.
Not sure where else to troubleshoot.
The script runs and works when i test itself.
The Task is created in the task scheduler
The task is run at log on
Task Scheduler successfully finished "{bfde4bbd-9fe8-4120-a855-
Scheduled Task was only created when done as a computer policy
However, even after the task has been run, nothing happens.
Group Policy Shows that the policy was applied
Task Schedule shows it was successfully run.
Not sure where else to troubleshoot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ NVIT -
Thanks for the assist.
It just started working.
@ Bradley -
Thanks for the inputs.
It was your idea to configure the setting on the computer side of the policy.
Thanks for the assist.
It just started working.
@ Bradley -
Thanks for the inputs.
It was your idea to configure the setting on the computer side of the policy.
ASKER