Salonge
asked on
How to create desktop file through GPO
Management team wants a directory document as a part of everyone's Windows profile to sit on each desktop. I figured this can be done through group policy. I just need to be pointed in the direction of some instructions.
If no concerns in using third party tools, can try https://www.pdq.com/pdq-deploy/
How often is the file updated, IMHO, a distributed file accessible by all users for read purpose is through computer GPO that copies a file from a central repository into c:\users\public\desktop\
Then you would run icacls to reset the permission..
The other option is to create a link to a centrally shared file.
Then you would run icacls to reset the permission..
The other option is to create a link to a centrally shared file.
ASKER
They want it to be in such a way it comes up when a profile is created. This file is updated maybe yearly. I just need instructions on how to do this. I saw some but it looked like it was someone trying to do it and having a problem and a resolution was posted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So you are saying that an office based file, i.e. Word or Excel will not work?
Try a Word or Excel file. Then try any other file type. You'll know right away if it worked. It's easy to set up the gpp
ASKER
I tried a Word file, but it did not work. I am trying a PDF file.
I believe Arnold's is saying when you open a Excel file on the network, then another user opens it before you close it, it tells you it's opened by someone else and if you want to open it read-only. It should still open.
Nvit correctly interpreted my answer,
Office products try to create a ~filename_based_file without write rights, the office application will freeze and reflect the application not responding.
PDFs are fine as PDF readers do not need write rights to open files.
Office products try to create a ~filename_based_file without write rights, the office application will freeze and reflect the application not responding.
PDFs are fine as PDF readers do not need write rights to open files.
ASKER
I just did this with a PDF and it is not working. I am using my username to test and I don't see the file at all.
Check the share folder on the server, and used advanced security especially effective permissions to determine what rights a user account would have when accessed.
Checked the share tabs permissions to see.
From your message it is not possible for me to attribute the issue nor how to resolve it beyond the suggestion to confirm permissions.
Checked the share tabs permissions to see.
From your message it is not possible for me to attribute the issue nor how to resolve it beyond the suggestion to confirm permissions.
In the test workstation, login as admin, open a cmd prompt, and run the gpresult /r /scope:user command.
The gpp you created should show.
https://activedirectorypro.com/gpresult-tool/
The gpp you created should show.
https://activedirectorypro.com/gpresult-tool/
ASKER
It does not show up. Even though the group policy object shows up in Group Policy Management.
Run
Gpresults /force
This will require a reboot if any computer gpos are renewed and the user will be prompted to logout if user gpos are updated.
Gpresults /force
This will require a reboot if any computer gpos are renewed and the user will be prompted to logout if user gpos are updated.
I think Arnold meant:
gpupdate /force
gpupdate /force
ASKER
I have done that and I still don't see it. When I created the policy, I only allowed myself and the domain admin access to the group policy so I could test under those profiles. When I do the gpresults it does not show that this group policy applied to my username. I have done gpupdate /force multiple times. I see the admin account, but not mine. Can anyone help.
Nvit, thanks for the correction.
The issue you face is whether the settings in the GPO of interest is not superseded by another GPO.
The issue you face is whether the settings in the GPO of interest is not superseded by another GPO.
ASKER
How can I tell that?
ASKER
The two accounts are set up identical. Why does the policy show up on one account and not the other. but the file still does not show up on the desktop.
What security filter you have? What is the status of the GPO when gpresults are obtain,
It commonly tells you if it did not apply or access is denied.
It commonly tells you if it did not apply or access is denied.
Also... Is the user in a certain OU where the gpp is not being applied/pertains to?
Using the group policy management console, you can generate the same results as you do on the individual workstation for a specific user.
A group policy wizard where you can select the computer against which object you want it assessed, then you can specify a user of interest who had to have previously logged onto that system.
The results are in two parts a detail of which explains a setting and the winning GPO that set it.
A group policy wizard where you can select the computer against which object you want it assessed, then you can specify a user of interest who had to have previously logged onto that system.
The results are in two parts a detail of which explains a setting and the winning GPO that set it.
ASKER
@Arnold
Can you explain that process please?
Can you explain that process please?
Open gpmc and look near the bottom there are two entries,
One deals with group policy planning which can be used to look at what changes will occur if certain changes were made as a testing platform without impacting users.
The second, group policy results is the means through which you can generate results based on a system of interest and then against a user from a list who had to have logged Ito the system.
One deals with group policy planning which can be used to look at what changes will occur if certain changes were made as a testing platform without impacting users.
The second, group policy results is the means through which you can generate results based on a system of interest and then against a user from a list who had to have logged Ito the system.
ASKER
The GPO says access denied security filtering next to my username.
ASKER
I was able to get access to the GPO, but I am still trying to see the file on my desktop on my computer. I was able to see the file on the desktop that i was working on.
> but I am still trying to see the file on my desktop on my computer. I was able to see the file on the desktop that i was working on.
Unclear.
Unclear.
The desktop does not auto refresh.
Which destination are pushing it to? Does the user have access to the source from which it is being copied?
IMHO, it is best to create a link versus copying the file resulting in multiple copies.
Which destination are pushing it to? Does the user have access to the source from which it is being copied?
IMHO, it is best to create a link versus copying the file resulting in multiple copies.
ASKER
I am pushing it to the desktop of each user. I am logged into another computer and I don't see the file come up on that computer. I am also logged into another computer under a different username that has access and the file is there. On my computer the policy is there based on the GPResults. I have set it up that it only copies one time per profile user.
Is it being copied or is the file part of the GPO?
Can you check while logged into a workstation whether you gave access to the file where it is.
Can you check while logged into a workstation whether you gave access to the file where it is.
ASKER
The file is in a shared directory and everyone has read access to the file. I am an administrator of the directory and I am unable to see it on my desktop.
ASKER
I guess I am copying the file to everyone's desktop.
Please post how your setup copies the file.
ASKER
source files - C:\directory\filename.pdf
Destination: %Userprofiles%Desktop\File name.pdf
Destination: %Userprofiles%Desktop\File
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Changed to a shared drive. I will see if it works
ASKER
It did not work. Should I create a computer policy also?
The change is as noted is not instanteneous. under what mechanism is the file being copied? Is it a login script, or are you using a GPP to handle the process.
A computer GPO only applies at boot.
Without knowing under which mechanism you are trying to do this, it is impossible for me to guess and then provide useful suggestions.
A computer GPO only applies at boot.
Without knowing under which mechanism you are trying to do this, it is impossible for me to guess and then provide useful suggestions.
ASKER
I am using the GPO to handle the process.
ASKER
This is a user configuration - GPO
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, used my own ... for shortcut but within the same location you can use file and specify the source as the share and then the destination. note you have to use
the variable %userprofile%\desktop since you can not predict the profile name as it can change from username to username.domain to username.domain.000 etc.
so the destination needs to match all conditions.
the variable %userprofile%\desktop since you can not predict the profile name as it can change from username to username.domain to username.domain.000 etc.
so the destination needs to match all conditions.
ASKER
Okay. I did everything you stated and it still does not work. I can do a gpresult on the test computer and the GPO shows applied, but the file will not show on the desktop. I really need to figure out what I am not doing correctly.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No, the file does not show.
Can you post screenshots of every setup you did? You can blank out private info as needed.
ASKER
For your Source File(s) field, I don't know if Arnold helped you w/ that yet but... that folder should be
- Shared
- Accessible by domain users, whatever group
- Shared
- Accessible by domain users, whatever group
ASKER
It is. Domain users have read rights..
Also, on the Common tab, set the "Run in logged-on users' security context (user policy option)
ASKER
that is also set.
I don't know if it makes a difference but, if you haven't already, try changing the Source File(s) field to the share name instead of the local c:\ folder
ASKER
The shared file is on the C:\ - the folder is shared
ASKER
I did that to make it easier. I also have it on a server. if I ever get it to work.
Alternatively, you can run a cmd/bat script to copy the file during user logon. That would be under User Config > Policies > Windows settings > Scripts
Regarding the shared folder... Can users access the folder if they type in the folder name in Windows Explorer? This would verify the share access.
ASKER
Yes, the users can. I have the GPO set up that only the domain admin and myself can access it for testing purposes. And I can go to my test computer, go into Network and see the shared file and access the document.
Would the script be easier? How would I write a script? I know I am not familiar with writing scripts in GPO.
Would the script be easier? How would I write a script? I know I am not familiar with writing scripts in GPO.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Revised my COPY command, adding /Y switch.
ASKER
Why can't I do the GPO, what am I not doing right?
What do you mean? You can't do the login gpo method I explained?
ASKER
I put it in the script in the GPO. I will see if it works.
ASKER
It worked. I don't know if it was the script or the changes to the other user config. but it worked.
Thank you and Arnold!!!!
Thank you and Arnold!!!!
> It worked. I don't know if it was the script or the changes to the other user config. but it worked.
You can verify which one worked by disabling the login script method. If it doesn't, then the script method worked....
You can verify which one worked by disabling the login script method. If it doesn't, then the script method worked....
ASKER
Thank you for all of your help. You guys rock!!!
Make sure Authenticated Users and Domain Users have Read rights to the "Source file" folder.
In your case, instead of CommonDesktopDir, choose the DesktopDir variable.
Under Common tab, check "Run in Logged-in user's security context (user policy option)"