Server 2016 group policy

Blocking everything on C minus those locations is tricky. Not sure if this is the only solution, however utilizing a clean slate type program might be a better option. We use it here for our public library computers and it works rather well.  We use Deep Freeze.
Just a thought.

Hopefully, my last response wasn't sent, I was interrupted and when I returned my response was gone. So I was saying that we have a 5 branch Library District and we also use Centurion which is a distant cousin of Deep Freeze.

I was just hoping not to let the patrons get into any areas that they could cause trouble. I am not sure what your patrons are like but mine like to do anything they are not supposed to. Like children pushing the bar...

On our old domain we were able to limit them to My Documents but with this new server we just haven't figured it out yet. Thank you for your response. Good to know I have company, thanks.

Deb

I know the pain all too well, with ours we set the computer to reboot after user logout, clears all what the patron(s) did and we are good to go!

Not sure if this is exactly what you are looking for: GPEdit > User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer
Restrict down the C Drive and that might cover it?

Maybe it will. I will have to try it tomorrow. I will let you know, thanks so much!

You can limit the user to saving within the user profile including desktop, etc.
the other setup that will wipe guest user data on a schedule to avoid site/credential leake between guests

Would that be within the GPO? Where would you limit that?

Mike Shrock, I cannot see where that will limit the access to only the My Documents section or allow access to Downloads. Thank you for your effort.

I think that was for the whole C drive. Apologies I was understanding that USB saving was/is the end goal. Direct download to the USB drive and we are all set.

We currently let them save to a Documents folder on the Desktop so they can save and print through our old 2008R2 DC. We are looking to see how we had accomplished this before. We had created a file to load the Desktop every time someone logs in. Which loads all of their Desktop files but we have yet to figure out how the Documents folder works. We have disabled access to My Documents. Someone else set this up for us last time and I haven't quite figured it all out yet. Because the computers are frozen the folder must be being directed from a different location. We found some settings in a Folder Redirection area of the GPO. We are just trying to figure out how to do it on our new server 2016.

I have to go into a long meeting in about 30 minutes, not sure if I can back to this today. But will definitely be working on it again tomorrow... Thanks for all of your help. I will definitely let you know when I get a solution.

Aren't the policies different from 2008 to 2016? We have a consultant company doing this for us and they chose to create a whole new GPO. They have actually been working on it since the end of October. We just decided to see if we could come up with a solution to their issues they are having to speed it up.

If that is the case I would love to try it... I will definitely look into this tomorrow, thanks.

there are enhancements, what were the prior workstations and what are the new workstations?
The GPO do not necessarily have to be changed. The newer simply have added feature and some more granular control.

not sure what you had so it is hard to say ..

Usually, one leaves the default domain and default domain controler policy GPos alone and adds GPOs as needed to control other things.

The prior workstations were/still are Windows 7 and the new ones will be Win 10.

Additional question: In reference to one of your comments - you can have more than one GPO on the same workstations? Sorry, my knowledge is somewhat limited.

gpos can be several they are applied in sequence. The draw back deals with processing before the system is available
You are not limited to a single GPO that has to include all that you want.
Commonly a Suggestion is to name a GPO discriptively to identify what it might be for.

GRoup Policy management console (GPMC) is a tool you can use to plan as well as to generate what the effect of Gpos are on computers/users..

Great, I definitely want to try to do this. Thanks. I need to get a snapshot of the current server so I can test things on the new version without damaging the original. I will let you know how it goes.

add GPMC to the new server , it is just a tool and provides a visual hierarchical display ....

security filter on a GPO is how you limit its application by user or computer or group .....

GPMC can also backup the GPOs you have

Thank you, I will try that also.

Thank you both for helping out. I ended up exporting the GPO from 2008R2 to 2016. It has not gone smoothly. A lot of things did not work or export correctly in 2016. But we are working on fixing those now. I believe it saved a lot of time in the long run though. Thanks!