How to create desktop file through GPO

Salonge
Salonge used Ask the Experts™
on
Management team wants a directory document as a part of everyone's Windows profile to sit on each desktop.  I figured this can be done through group policy.  I just need to be pointed in the direction of some instructions.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NVITEnd-user support

Commented:
See this link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/02dc525d-fe7a-497a-b6ec-a2bff4df98ac/how-to-place-files-on-users-desktop-with-gpp?forum=winserverGP

Make sure Authenticated Users and Domain Users have Read rights to the "Source file" folder.

In your case, instead of CommonDesktopDir, choose the DesktopDir variable.

Under Common tab, check "Run in Logged-in user's security context (user policy option)"
Kesavan JeganarayananIT Consultant

Commented:
If no concerns in  using third party tools, can try https://www.pdq.com/pdq-deploy/
Distinguished Expert 2017

Commented:
How often is the file updated, IMHO, a distributed file accessible by all users for read purpose is through computer GPO that copies a file from a central repository into c:\users\public\desktop\
Then you would run icacls to reset the permission..

The other option is to create a link to a centrally shared file.

Author

Commented:
They want it to be in such a way it comes up when a profile is created.  This file is updated maybe yearly.  I just need instructions on how to do this.  I saw some but it looked like it was someone trying to do it and having a problem and a resolution was posted.
Distinguished Expert 2017
Commented:
IMHO, if this is a published, informational file, a link on the desktop (preferably on the public read-only shortcut to the central file is best.
1) you do not need to copy the file to refresh it. Once the file is updated, users accessing it will see the current version. They can not delete the link/file.

Nvit provided an example.

You could use group policy preferences to push ...

What type of file as long as the file is not an office based tool..
I.e the location is read-only, the office products will often gave issues trying to open such a file as they commonly need write rights to create a lock file to indicate that is being used.

Author

Commented:
So you are saying that an office based file, i.e. Word or Excel will not work?
NVITEnd-user support

Commented:
Try a Word or Excel file. Then try any other file type. You'll know right away if it worked. It's easy to set up the gpp

Author

Commented:
I tried a Word file, but it did not work.  I am trying a PDF file.
NVITEnd-user support

Commented:
I believe Arnold's is saying when you open a Excel file on the network, then another user opens it before you close it, it tells you it's opened by someone else and if you want to open it read-only. It should still open.
Distinguished Expert 2017

Commented:
Nvit correctly interpreted my answer,
Office products try to create a ~filename_based_file without write rights, the office application will freeze and reflect the application not responding.

PDFs are fine as PDF readers do not need write rights to open files.

Author

Commented:
I just did this with a PDF and it is not working.  I am using my username to test and I don't see the file at all.
Distinguished Expert 2017

Commented:
Check the share folder on the server, and used advanced security especially effective permissions to determine what rights a user account would have when accessed.
Checked the share tabs permissions to see.

From your message it is not possible for me to attribute the issue nor how to resolve it beyond the suggestion to confirm permissions.
NVITEnd-user support

Commented:
In the test workstation, login as admin, open a cmd prompt, and run the gpresult /r /scope:user command.

The gpp you created should show.

https://activedirectorypro.com/gpresult-tool/

Author

Commented:
It does not show up.  Even though the group policy object shows up in Group Policy Management.
Distinguished Expert 2017

Commented:
Run
Gpresults /force

This will require a reboot if any computer gpos are renewed and the user will be prompted to logout if user gpos are updated.
NVITEnd-user support

Commented:
I think Arnold meant:

gpupdate /force

Author

Commented:
I have done that and I still don't see it.  When I created the policy, I only allowed myself and the domain admin access to the group policy so I could test under those profiles.  When I do the gpresults it does not show that this group policy applied to my username.  I have done gpupdate /force multiple times.  I see the admin account, but not mine.  Can anyone help.
Distinguished Expert 2017

Commented:
Nvit, thanks for the correction.
The issue you face is whether the settings in the GPO of interest is not superseded by another GPO.

Author

Commented:
How can I tell that?

Author

Commented:
The two accounts are set up identical. Why does  the policy show up on one account and not the other.  but the file still does not show up on the desktop.
Distinguished Expert 2017

Commented:
What security filter you have? What is the status of the GPO when gpresults are obtain,
It commonly tells you if it did not apply or access is denied.
NVITEnd-user support

Commented:
Also... Is the user in a certain OU where the gpp is not being applied/pertains to?
Distinguished Expert 2017

Commented:
Using the group policy management console, you can generate the same results as you do on the individual workstation for a specific user.

A group policy wizard where you can select the computer against which object you want it assessed, then you can specify a user of interest who had to have previously logged onto that system.

The results are in two parts a detail of which explains a setting and the winning GPO that set it.

Author

Commented:
@Arnold

Can you explain that process please?
Distinguished Expert 2017

Commented:
Open gpmc and look near the bottom there are two entries,
One deals with group policy planning which can be used to look at what changes will occur if certain changes were made as a testing platform without impacting users.
The second, group policy results is the means through which you can generate results based on a system of interest and then against a user from a list who had to have logged Ito the system.

Author

Commented:
The GPO says access denied security filtering next to my username.

Author

Commented:
I was able to get access to the GPO, but I am still trying to see the file on my desktop on my computer.  I was able to see the file on the desktop that i was working on.
NVITEnd-user support

Commented:
> but I am still trying to see the file on my desktop on my computer.  I was able to see the file on the desktop that i was working on.

Unclear.
Distinguished Expert 2017

Commented:
The desktop does not auto refresh.
Which destination are pushing it to? Does the user have access to the source from which it is being copied?

IMHO, it is best to create a link versus copying the file resulting in multiple copies.

Author

Commented:
I am pushing it to the desktop of each user.  I am logged into another computer and I don't see the file come up on that computer.  I am also logged into another computer under a different username that has access and the file is there.  On my computer the policy is there based on the GPResults.  I have set it up that it only copies one time per profile user.
Distinguished Expert 2017

Commented:
Is it being copied or is the file part of the GPO?
Can you check while logged into a workstation whether you gave access to the file where it is.

Author

Commented:
The file is in a shared directory and everyone has read access to the file.  I am an administrator of the directory and I am unable to see it on my desktop.

Author

Commented:
I guess I am copying the file to everyone's desktop.
Distinguished Expert 2017

Commented:
Please post how your setup copies the file.

Author

Commented:
source files - C:\directory\filename.pdf
Destination: %Userprofiles%Desktop\Filename.pdf
Distinguished Expert 2017
Commented:
Can you double check that the share is accessible?
C:\directory\filename.pdf is a local file.
It commonly shoukd be referenced as a share \\servername\sharename\filename.pdf

Your issue what you have setup is that the source file is not accessible by the user on whose behalf the copy is attempted.

Author

Commented:
Changed to a shared drive.  I will see if it works

Author

Commented:
It did not work.  Should I create a computer policy also?
Distinguished Expert 2017

Commented:
The change is as noted is not instanteneous. under what mechanism is the file being copied? Is it a login script, or are you using a GPP to handle the process.
A computer GPO only applies at boot.
Without knowing under which mechanism you are trying to do this, it is impossible for me to guess and then provide useful suggestions.

Author

Commented:
I am using the GPO to handle the process.

Author

Commented:
This is a user configuration - GPO
Distinguished Expert 2017
Commented:
There are many ways to achieve this, please be specific on how you are pushing the file from a \\servername\sharename\filename.pdf in this case to c:\users\%username% or are you using another way/reference?

In order for me to determine whether I can identify why what you are doing is not resulting in the results you expect, I need to know what it is you are doing.


Try the following, open GPMC open a new GPO or the GPO you are working with and edit it
navigate to preferences, windows settings, then to shortcuts.
a a new shortcut, with the rule
to update
name. shortcut to filename.pdf
target file system type
place it on the desktop
target \\servername\sharename\filename.pdf
icon file if you want, locate c:\program files\adobe\reader\...... if you want
and let it fly
gpupdate /TARGET:user /force
logoff logon and see whether you have a "shortcut to filename" shortcut to the file and when clicked does it open the pdf.
Distinguished Expert 2017

Commented:
Oh, used my own ... for shortcut but within the same location you can use file and specify the source as the share and then the destination. note you have to use
the variable %userprofile%\desktop since you can not predict the profile name as it can change from username to username.domain to username.domain.000 etc.

so the destination needs to match all conditions.

Author

Commented:
Okay.  I did everything you stated and it still does not work.  I can do a gpresult on the test computer and the GPO shows applied, but the file will not show on the desktop.  I really  need to figure out what I am not doing correctly.
NVITEnd-user support
Commented:
> I can do a gpresult on the test computer and the GPO shows applied, but the file will not show on the desktop.

1. Open a CMD prompt on suspect client.
2. DIR /a "c:\users\whateveruser\desktop\whateverfilename.pdf"

Does it show the file?

Author

Commented:
No, the file does not show.
NVITEnd-user support

Commented:
Can you post screenshots of every setup you did? You can blank out private info as needed.

Author

Commented:
See files attached below.  This is exactly the steps I am taking.  Then I do a gpupdate /force
gpo-1.jpg
gpo-2.jpg
gpo-3.jpg
NVITEnd-user support

Commented:
For your Source File(s) field, I don't know if Arnold helped you w/ that yet but... that folder should be
- Shared
- Accessible by domain users, whatever group

Author

Commented:
It is.  Domain users have read rights..
NVITEnd-user support

Commented:
Also, on the Common tab, set the "Run in logged-on users' security context (user policy option)

Author

Commented:
that is also set.
NVITEnd-user support

Commented:
I don't know if it makes a difference but, if you haven't already, try changing the  Source File(s) field to the share name instead of the local c:\ folder

Author

Commented:
The shared file is on the C:\ - the folder is shared

Author

Commented:
I did that to make it easier.  I also have it on a server. if I ever get it to work.
NVITEnd-user support

Commented:
Alternatively, you can run a cmd/bat script to copy the file during user logon. That would be under User Config > Policies > Windows settings > Scripts
NVITEnd-user support

Commented:
Regarding the shared folder... Can users access the folder if they type in the folder name in Windows Explorer? This would verify the share access.

Author

Commented:
Yes, the users can.  I have the GPO set up that only the domain admin and myself can access it for testing purposes.  And I can go to my test computer, go into Network and see the shared file and access the document.

Would the script be easier?  How would I write a script?  I know I am not familiar with writing scripts in GPO.
NVITEnd-user support
Commented:
To use the login script cmd/bat method...

This assumes the login script is not currently in use. If it is, you can still add these lines to it.

1. Open a text editior.
2. Add this text
copy /y "\\sharename\folder\filename.pdf" "%userprofile%\desktop"

Open in new window

3. Save it to a commonly shared folder, maybe under %USERDOMAIN%\SYSVOL\%USERDOMAIN%\scripts, with a name like: Login.cmd
4. Open the Login.cmd file via the gpo I mentioned in my last post under User Config
NVITEnd-user support

Commented:
Revised my COPY command, adding /Y switch.

Author

Commented:
Why can't I do the GPO, what am I not doing right?
NVITEnd-user support

Commented:
What do you mean? You can't do the login gpo method I explained?

Author

Commented:
I put it in the script in the GPO.  I will see if it works.

Author

Commented:
It worked.  I don't know if it was the script or the changes to the other user config. but it worked.

Thank you and Arnold!!!!
NVITEnd-user support

Commented:
>  It worked.  I don't know if it was the script or the changes to the other user config. but it worked.

You can verify which one worked by disabling the login script method. If it doesn't, then the script method worked....

Author

Commented:
Thank you for all of your help.  You guys rock!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial