Announcement

Collapse
No announcement yet.

How.to.deny.users.from.saving.files.or.folders.to.desktop

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How.to.deny.users.from.saving.files.or.folders.to.desktop

    Situation: I don't want any user in the domain that is able to save files or create folder on their desktops ( because I'm using folder redirection for their Document folders).

    I've been searching group policy for that but I couldn't find it. Please suggest a solution. Thanks alot.
    Teamwork

  • #2
    This won't deny them from saving to the desktop, you'd need to alter the permissions on the folder in order to do that. That can be done with a logon script if you wish. However if you redirect the desktop when users save something there it won't be saved locally, I believe this is probably what you want.

    -----

    Use the GPO to redirect the desktop folder to their network drive.

    Path: \\server\sharename\%username%\Desktop

    Check "Move the contents of Desktop to the new location"

    -----

    The following is for the benefit of others who read this and don't know how to redirect folders...

    Open the GPO Editor (gpedit.msc) - Default Domain Policy.

    Use the Group Policy Management Console Expand Forest->Domain->YourDomain->Group Policy Objects->R-Click Default Domain Policy->Edit.
    Otherwise you'll need to type this in...
    gpedit.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=servername, DC=domainroot,DC=domainsuffix"


    R-Click Desktop->Properties

    Specify what type of redirection you want for the location, based on group or all domain user to one location. After specifying the location, click the settings tab and make sure the box labeled "Move the contents of Desktop to the new location" is enabled. This should do it.
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Thanks ahinson,

      I'd love to move the user's files on desktop to a network location if it doesn't generate network traffic. the reason that I use "My Document" folder redirection because I don't want user to generate network traffic by saving a 50MB file on their desktop .

      So probably I'd have to tweak user's permission but I'd like to ask how to accomplish that task for all of the user in a domain

      Regards,
      Teamwork

      Comment


      • #4
        Originally posted by azmantek
        I'd love to move the user's files on desktop to a network location if it doesn't generate network traffic. the reason that I use "My Document" folder redirection because I don't want user to generate network traffic by saving a 50MB file on their desktop .

        So probably I'd have to tweak user's permission but I'd like to ask how to accomplish that task for all of the user in a domain
        Well you can use a quota on the profile so it won't grow too large. This would keep it from moving a bunch of garbage and keep them from saving large files.

        If you want to go with the permission route you can use Xcacls.exe to alter the permission of a specific folder via the command prompt.

        Once you figure out how you can create a logon script to alter the local permissions on the workstations. You should be able to write a batch file to do it. The location should be the same for every machine.

        C:\Documents and Settings\%username%\Desktop
        and
        C:\Documents and Settings\All Users\Desktop

        Remove the Write attribute for %username%, users and everyone. If you have trouble try disabling permission inheritance - it generates an error if this is enabled.

        Read this to learn about Xcacls and its cmd line switches...
        http://support.microsoft.com/default.aspx?kbid=318754
        Andrew

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Thanks Andrew,

          Thanks a bunch for helping bro. I know it's very late at your place . I hope no more storm comes your way. Good luck and good night. I'll have a detail report of how I implement this. Thanks again and good night
          Teamwork

          Comment


          • #6
            Yeah I'm a night owl and I only need 4 hours sleep

            Good luck.
            Andrew

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            Comment


            • #7
              Hello Andrew,
              I'm still working on it . Here's a detail article that I found on MS web site. I hope you like it

              How to use xcacls.vbs to modify NTFS Permissions.

              And download it here here

              Regards.
              Teamwork

              Comment


              • #8
                Excellent, it looks like a good resource, thanks.
                Andrew

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  Originally posted by ahinson
                  This won't deny them from saving to the desktop, you'd need to alter the permissions on the folder in order to do that. That can be done with a logon script if you wish.
                  I did modify the desktop permission through log on script. It works...Yay...the user can't save anything to the desktop. Happy? Not yet

                  I log off, log on with that same user and it gives me error msg saying that it can't copy the profile from the server . I hit OK and it returns me back to the log on screen. I log on again and it let me.

                  Error msg was "windows can't copy the "\\blah\desktop" to "C:\Docu..\Desktop".

                  I know that log on script uses current log on user privilege to execute the script.

                  So, it takes me two time to log on after I log off the workstation due to that permission problem.

                  And right now I can't think of any other solution. Please advise.

                  Regards,
                  Teamwork

                  Comment


                  • #10
                    Dirty workaround:
                    Redirect users' desktop to a network share and give the users about 100K quota on the disk the share is located on.

                    Desktop folder should better remain writable if you want to avoid nasty popups during application installations or logons.
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      You can stop users from saving files or folders directly to the desktop through group policy. If you greate a gp, and go to Computer Configuration / Windows Settings / Security Settings / File System. Then add 2 files,

                      %AllUsersProfile%\Desktop

                      %UserProfile%\Desktop

                      If you accept the default permissions for these, standard users will not have the write permission to these folders. I've added IT to have full control of these just in case, but ordinary bods, no way.

                      This is much tidier than using Xcacls and login scripts

                      Comment


                      • #12
                        Hi dazzabroughton,

                        Thank you very much for suggesting a nice solution. I already experienced it in three environments: local profiles, roaming profiles, mandatory profiles. I also tried with default and modified NTFS permissions of %AllUserProfiles%\Desktop , %DefaultUserProfile%\Desktop, %UserProfile%\Desktop. The result was: it only worked with local user profiles. For roaming and mandatory profiles, it didn't work due to the permission problems when Windows copied the profiles from the server. ( same error msg that I already stated up above).

                        Would you please spend sometime to explain about your situation and how you make it works. Thank you very much.

                        Regards,
                        Teamwork

                        Comment


                        • #13
                          hi,u can do this by converting ur user profile into mandatory profile.just convert ntuser.dat to ntuser.man

                          Comment

                          Working...
                          X