Avatar of brms33
brms33
 asked on

Server 2016 group policy

Does anyone know of a way for a client to save to Downloads or My Documents and nowhere else on the computer, except a USB? These are public library computers and we need to limit their access to saving items on the local computer. We have a new server 2016 that we are setting up with group policy and it is one of the last items we can't get working before putting the GPO out and connecting the computers to the new domain. Thanks.
Deb
Server SoftwareActive DirectoryWindows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
brms33

8/22/2022 - Mon
Mike Schrock

Blocking everything on C minus those locations is tricky. Not sure if this is the only solution, however utilizing a clean slate type program might be a better option. We use it here for our public library computers and it works rather well.  We use Deep Freeze.
Just a thought.
brms33

ASKER
Hopefully, my last response wasn't sent, I was interrupted and when I returned my response was gone. So I was saying that we have a 5 branch Library District and we also use Centurion which is a distant cousin of Deep Freeze.

I was just hoping not to let the patrons get into any areas that they could cause trouble. I am not sure what your patrons are like but mine like to do anything they are not supposed to. Like children pushing the bar...

On our old domain we were able to limit them to My Documents but with this new server we just haven't figured it out yet. Thank you for your response. Good to know I have company, thanks.

Deb
Mike Schrock

I know the pain all too well, with ours we set the computer to reboot after user logout, clears all what the patron(s) did and we are good to go!

Not sure if this is exactly what you are looking for: GPEdit > User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer
Restrict down the C Drive and that might cover it?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
brms33

ASKER
Maybe it will. I will have to try it tomorrow. I will let you know, thanks so much!
arnold

You can limit the user to saving within the user profile including desktop, etc.
the other setup that will wipe guest user data on a schedule to avoid site/credential leake between guests
brms33

ASKER
Would that be within the GPO? Where would you limit that?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
brms33

ASKER
Mike Shrock, I cannot see where that will limit the access to only the My Documents section or allow access to Downloads. Thank you for your effort.
Mike Schrock

I think that was for the whole C drive. Apologies I was understanding that USB saving was/is the end goal. Direct download to the USB drive and we are all set.
brms33

ASKER
We currently let them save to a Documents folder on the Desktop so they can save and print through our old 2008R2 DC. We are looking to see how we had accomplished this before. We had created a file to load the Desktop every time someone logs in. Which loads all of their Desktop files but we have yet to figure out how the Documents folder works. We have disabled access to My Documents. Someone else set this up for us last time and I haven't quite figured it all out yet. Because the computers are frozen the folder must be being directed from a different location. We found some settings in a Folder Redirection area of the GPO. We are just trying to figure out how to do it on our new server 2016.

I have to go into a long meeting in about 30 minutes, not sure if I can back to this today. But will definitely be working on it again tomorrow... Thanks for all of your help. I will definitely let you know when I get a solution.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
brms33

ASKER
Aren't the policies different from 2008 to 2016? We have a consultant company doing this for us and they chose to create a whole new GPO. They have actually been working on it since the end of October. We just decided to see if we could come up with a solution to their issues they are having to speed it up.

If that is the case I would love to try it... I will definitely look into this tomorrow, thanks.
arnold

there are enhancements, what were the prior workstations and what are the new workstations?
The GPO do not necessarily have to be changed. The newer simply have added feature and some more granular control.

not sure what you had so it is hard to say ..

Usually, one leaves the default domain and default domain controler policy GPos alone and adds GPOs as needed to control other things.
brms33

ASKER
The prior workstations were/still are Windows 7 and the new ones will be Win 10.

Additional question: In reference to one of your comments - you can have more than one GPO on the same workstations? Sorry, my knowledge is somewhat limited.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

gpos can be several they are applied in sequence. The draw back deals with processing before the system is available
You are not limited to a single GPO that has to include all that you want.
Commonly a Suggestion is to name a GPO discriptively to identify what it might be for.

GRoup Policy management console (GPMC) is a tool you can use to plan as well as to generate what the effect of Gpos are on computers/users..
brms33

ASKER
Great, I definitely want to try to do this. Thanks. I need to get a snapshot of the current server so I can test things on the new version without damaging the original. I will let you know how it goes.
arnold

add GPMC to the new server , it is just a tool and provides a visual hierarchical display ....

security filter on a GPO is how you limit its application by user or computer or group .....
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
arnold

GPMC can also backup the GPOs you have
brms33

ASKER
Thank you, I will try that also.
brms33

ASKER
Thank you both for helping out. I ended up exporting the GPO from 2008R2 to 2016. It has not gone smoothly. A lot of things did not work or export correctly in 2016. But we are working on fixing those now. I believe it saved a lot of time in the long run though. Thanks!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.