We help IT Professionals succeed at work.

Server 2016 group policy

Does anyone know of a way for a client to save to Downloads or My Documents and nowhere else on the computer, except a USB? These are public library computers and we need to limit their access to saving items on the local computer. We have a new server 2016 that we are setting up with group policy and it is one of the last items we can't get working before putting the GPO out and connecting the computers to the new domain. Thanks.
Deb
Comment
Watch Question

Mike SchrockIT Operations Manager

Commented:
Blocking everything on C minus those locations is tricky. Not sure if this is the only solution, however utilizing a clean slate type program might be a better option. We use it here for our public library computers and it works rather well.  We use Deep Freeze.
Just a thought.

Author

Commented:
Hopefully, my last response wasn't sent, I was interrupted and when I returned my response was gone. So I was saying that we have a 5 branch Library District and we also use Centurion which is a distant cousin of Deep Freeze.

I was just hoping not to let the patrons get into any areas that they could cause trouble. I am not sure what your patrons are like but mine like to do anything they are not supposed to. Like children pushing the bar...

On our old domain we were able to limit them to My Documents but with this new server we just haven't figured it out yet. Thank you for your response. Good to know I have company, thanks.

Deb
Mike SchrockIT Operations Manager

Commented:
I know the pain all too well, with ours we set the computer to reboot after user logout, clears all what the patron(s) did and we are good to go!

Not sure if this is exactly what you are looking for: GPEdit > User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer
Restrict down the C Drive and that might cover it?

Author

Commented:
Maybe it will. I will have to try it tomorrow. I will let you know, thanks so much!
Distinguished Expert 2019

Commented:
You can limit the user to saving within the user profile including desktop, etc.
the other setup that will wipe guest user data on a schedule to avoid site/credential leake between guests

Author

Commented:
Would that be within the GPO? Where would you limit that?

Author

Commented:
Mike Shrock, I cannot see where that will limit the access to only the My Documents section or allow access to Downloads. Thank you for your effort.
Mike SchrockIT Operations Manager

Commented:
I think that was for the whole C drive. Apologies I was understanding that USB saving was/is the end goal. Direct download to the USB drive and we are all set.

Author

Commented:
We currently let them save to a Documents folder on the Desktop so they can save and print through our old 2008R2 DC. We are looking to see how we had accomplished this before. We had created a file to load the Desktop every time someone logs in. Which loads all of their Desktop files but we have yet to figure out how the Documents folder works. We have disabled access to My Documents. Someone else set this up for us last time and I haven't quite figured it all out yet. Because the computers are frozen the folder must be being directed from a different location. We found some settings in a Folder Redirection area of the GPO. We are just trying to figure out how to do it on our new server 2016.

I have to go into a long meeting in about 30 minutes, not sure if I can back to this today. But will definitely be working on it again tomorrow... Thanks for all of your help. I will definitely let you know when I get a solution.
Distinguished Expert 2019
Commented:
Usually, nothing would change when you add the new server as anotherDC it will transfer/replicate all existing settings set control from the DC via GPO.

Author

Commented:
Aren't the policies different from 2008 to 2016? We have a consultant company doing this for us and they chose to create a whole new GPO. They have actually been working on it since the end of October. We just decided to see if we could come up with a solution to their issues they are having to speed it up.

If that is the case I would love to try it... I will definitely look into this tomorrow, thanks.
Distinguished Expert 2019

Commented:
there are enhancements, what were the prior workstations and what are the new workstations?
The GPO do not necessarily have to be changed. The newer simply have added feature and some more granular control.

not sure what you had so it is hard to say ..

Usually, one leaves the default domain and default domain controler policy GPos alone and adds GPOs as needed to control other things.

Author

Commented:
The prior workstations were/still are Windows 7 and the new ones will be Win 10.

Additional question: In reference to one of your comments - you can have more than one GPO on the same workstations? Sorry, my knowledge is somewhat limited.
Distinguished Expert 2019

Commented:
gpos can be several they are applied in sequence. The draw back deals with processing before the system is available
You are not limited to a single GPO that has to include all that you want.
Commonly a Suggestion is to name a GPO discriptively to identify what it might be for.

GRoup Policy management console (GPMC) is a tool you can use to plan as well as to generate what the effect of Gpos are on computers/users..

Author

Commented:
Great, I definitely want to try to do this. Thanks. I need to get a snapshot of the current server so I can test things on the new version without damaging the original. I will let you know how it goes.
Distinguished Expert 2019

Commented:
add GPMC to the new server , it is just a tool and provides a visual hierarchical display ....

security filter on a GPO is how you limit its application by user or computer or group .....
Distinguished Expert 2019

Commented:
GPMC can also backup the GPOs you have

Author

Commented:
Thank you, I will try that also.

Author

Commented:
Thank you both for helping out. I ended up exporting the GPO from 2008R2 to 2016. It has not gone smoothly. A lot of things did not work or export correctly in 2016. But we are working on fixing those now. I believe it saved a lot of time in the long run though. Thanks!