Link to home
Start Free TrialLog in
Avatar of Salonge
Salonge

asked on

How to create desktop file through GPO

Management team wants a directory document as a part of everyone's Windows profile to sit on each desktop.  I figured this can be done through group policy.  I just need to be pointed in the direction of some instructions.
Avatar of NVIT
NVIT
Flag of United States of America image

See this link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/02dc525d-fe7a-497a-b6ec-a2bff4df98ac/how-to-place-files-on-users-desktop-with-gpp?forum=winserverGP

Make sure Authenticated Users and Domain Users have Read rights to the "Source file" folder.

In your case, instead of CommonDesktopDir, choose the DesktopDir variable.

Under Common tab, check "Run in Logged-in user's security context (user policy option)"
If no concerns in  using third party tools, can try https://www.pdq.com/pdq-deploy/
How often is the file updated, IMHO, a distributed file accessible by all users for read purpose is through computer GPO that copies a file from a central repository into c:\users\public\desktop\
Then you would run icacls to reset the permission..

The other option is to create a link to a centrally shared file.
Avatar of Salonge
Salonge

ASKER

They want it to be in such a way it comes up when a profile is created.  This file is updated maybe yearly.  I just need instructions on how to do this.  I saw some but it looked like it was someone trying to do it and having a problem and a resolution was posted.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Salonge

ASKER

So you are saying that an office based file, i.e. Word or Excel will not work?
Try a Word or Excel file. Then try any other file type. You'll know right away if it worked. It's easy to set up the gpp
Avatar of Salonge

ASKER

I tried a Word file, but it did not work.  I am trying a PDF file.
I believe Arnold's is saying when you open a Excel file on the network, then another user opens it before you close it, it tells you it's opened by someone else and if you want to open it read-only. It should still open.
Nvit correctly interpreted my answer,
Office products try to create a ~filename_based_file without write rights, the office application will freeze and reflect the application not responding.

PDFs are fine as PDF readers do not need write rights to open files.
Avatar of Salonge

ASKER

I just did this with a PDF and it is not working.  I am using my username to test and I don't see the file at all.
Check the share folder on the server, and used advanced security especially effective permissions to determine what rights a user account would have when accessed.
Checked the share tabs permissions to see.

From your message it is not possible for me to attribute the issue nor how to resolve it beyond the suggestion to confirm permissions.
In the test workstation, login as admin, open a cmd prompt, and run the gpresult /r /scope:user command.

The gpp you created should show.

https://activedirectorypro.com/gpresult-tool/
Avatar of Salonge

ASKER

It does not show up.  Even though the group policy object shows up in Group Policy Management.
Run
Gpresults /force

This will require a reboot if any computer gpos are renewed and the user will be prompted to logout if user gpos are updated.
I think Arnold meant:

gpupdate /force
Avatar of Salonge

ASKER

I have done that and I still don't see it.  When I created the policy, I only allowed myself and the domain admin access to the group policy so I could test under those profiles.  When I do the gpresults it does not show that this group policy applied to my username.  I have done gpupdate /force multiple times.  I see the admin account, but not mine.  Can anyone help.
Nvit, thanks for the correction.
The issue you face is whether the settings in the GPO of interest is not superseded by another GPO.
Avatar of Salonge

ASKER

How can I tell that?
Avatar of Salonge

ASKER

The two accounts are set up identical. Why does  the policy show up on one account and not the other.  but the file still does not show up on the desktop.
What security filter you have? What is the status of the GPO when gpresults are obtain,
It commonly tells you if it did not apply or access is denied.
Also... Is the user in a certain OU where the gpp is not being applied/pertains to?
Using the group policy management console, you can generate the same results as you do on the individual workstation for a specific user.

A group policy wizard where you can select the computer against which object you want it assessed, then you can specify a user of interest who had to have previously logged onto that system.

The results are in two parts a detail of which explains a setting and the winning GPO that set it.
Avatar of Salonge

ASKER

@Arnold

Can you explain that process please?
Open gpmc and look near the bottom there are two entries,
One deals with group policy planning which can be used to look at what changes will occur if certain changes were made as a testing platform without impacting users.
The second, group policy results is the means through which you can generate results based on a system of interest and then against a user from a list who had to have logged Ito the system.
Avatar of Salonge

ASKER

The GPO says access denied security filtering next to my username.
Avatar of Salonge

ASKER

I was able to get access to the GPO, but I am still trying to see the file on my desktop on my computer.  I was able to see the file on the desktop that i was working on.
> but I am still trying to see the file on my desktop on my computer.  I was able to see the file on the desktop that i was working on.

Unclear.
The desktop does not auto refresh.
Which destination are pushing it to? Does the user have access to the source from which it is being copied?

IMHO, it is best to create a link versus copying the file resulting in multiple copies.
Avatar of Salonge

ASKER

I am pushing it to the desktop of each user.  I am logged into another computer and I don't see the file come up on that computer.  I am also logged into another computer under a different username that has access and the file is there.  On my computer the policy is there based on the GPResults.  I have set it up that it only copies one time per profile user.
Is it being copied or is the file part of the GPO?
Can you check while logged into a workstation whether you gave access to the file where it is.
Avatar of Salonge

ASKER

The file is in a shared directory and everyone has read access to the file.  I am an administrator of the directory and I am unable to see it on my desktop.
Avatar of Salonge

ASKER

I guess I am copying the file to everyone's desktop.
Please post how your setup copies the file.
Avatar of Salonge

ASKER

source files - C:\directory\filename.pdf
Destination: %Userprofiles%Desktop\Filename.pdf
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Salonge

ASKER

Changed to a shared drive.  I will see if it works
Avatar of Salonge

ASKER

It did not work.  Should I create a computer policy also?
The change is as noted is not instanteneous. under what mechanism is the file being copied? Is it a login script, or are you using a GPP to handle the process.
A computer GPO only applies at boot.
Without knowing under which mechanism you are trying to do this, it is impossible for me to guess and then provide useful suggestions.
Avatar of Salonge

ASKER

I am using the GPO to handle the process.
Avatar of Salonge

ASKER

This is a user configuration - GPO
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Oh, used my own ... for shortcut but within the same location you can use file and specify the source as the share and then the destination. note you have to use
the variable %userprofile%\desktop since you can not predict the profile name as it can change from username to username.domain to username.domain.000 etc.

so the destination needs to match all conditions.
Avatar of Salonge

ASKER

Okay.  I did everything you stated and it still does not work.  I can do a gpresult on the test computer and the GPO shows applied, but the file will not show on the desktop.  I really  need to figure out what I am not doing correctly.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Salonge

ASKER

No, the file does not show.
Can you post screenshots of every setup you did? You can blank out private info as needed.
Avatar of Salonge

ASKER

See files attached below.  This is exactly the steps I am taking.  Then I do a gpupdate /force
gpo-1.jpg
gpo-2.jpg
gpo-3.jpg
For your Source File(s) field, I don't know if Arnold helped you w/ that yet but... that folder should be
- Shared
- Accessible by domain users, whatever group
Avatar of Salonge

ASKER

It is.  Domain users have read rights..
Also, on the Common tab, set the "Run in logged-on users' security context (user policy option)
Avatar of Salonge

ASKER

that is also set.
I don't know if it makes a difference but, if you haven't already, try changing the  Source File(s) field to the share name instead of the local c:\ folder
Avatar of Salonge

ASKER

The shared file is on the C:\ - the folder is shared
Avatar of Salonge

ASKER

I did that to make it easier.  I also have it on a server. if I ever get it to work.
Alternatively, you can run a cmd/bat script to copy the file during user logon. That would be under User Config > Policies > Windows settings > Scripts
Regarding the shared folder... Can users access the folder if they type in the folder name in Windows Explorer? This would verify the share access.
Avatar of Salonge

ASKER

Yes, the users can.  I have the GPO set up that only the domain admin and myself can access it for testing purposes.  And I can go to my test computer, go into Network and see the shared file and access the document.

Would the script be easier?  How would I write a script?  I know I am not familiar with writing scripts in GPO.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Revised my COPY command, adding /Y switch.
Avatar of Salonge

ASKER

Why can't I do the GPO, what am I not doing right?
What do you mean? You can't do the login gpo method I explained?
Avatar of Salonge

ASKER

I put it in the script in the GPO.  I will see if it works.
Avatar of Salonge

ASKER

It worked.  I don't know if it was the script or the changes to the other user config. but it worked.

Thank you and Arnold!!!!
>  It worked.  I don't know if it was the script or the changes to the other user config. but it worked.

You can verify which one worked by disabling the login script method. If it doesn't, then the script method worked....
Avatar of Salonge

ASKER

Thank you for all of your help.  You guys rock!!!