No announcement yet.

Desktop Lockdown

  • Filter
  • Time
  • Show
Clear All
new posts

  • Desktop Lockdown

    Hi all,

    I've been through GPO with a fine tooth comb, and suffering blurry vision starring at it so long, but for the life of me I just can't find what I'm looking for.

    I'm trying to apply a policy to workstations to prevent adding files to the desktop, while still displaying My Computer, My Docs, Internet Explorer and common program shortcuts.

    Additionally, want to stop people renaming the default icons, such as Internet Explorer to P**n Explorer etc.

    The interesting thing is, I recall a colleaque once applying a GPO to a Terminal Server that had the end result of a user not being able to drag and drop items on the desktop etc. however, right-clicking a file and selecting the Send to, Desktop (Create Shortcut) still worked.

    Any ideas? I Suppose I could redirect everyone's Desktop to a central point with read-only, but would rather not. That still wouldn't prevent renaming the default icons which is the most important part.

    I wouldn't mind user's being able to add shortcuts to the desktop, just not files.

  • #2
    Re: Desktop Lockdown

    just create a custom GPO... the following GPO is what i use for the public PCs at my work. the public users are only allowed intranet access, mainframe access (to public functions), and admin approved printing.

    this is an export of the GPO as text. note what i have hidden... you dont have to hide everything like i did, but this example was created without any customization of templates or fancy scripts... just run-of-the-mill group policy management.

    note that some groups are excluded from this policy, and also keep in mind that this policy is only enabled on the OU housing the public users and the public PCs.

    set up a test OU and create a test policy and only link and enforce on that test OU. then, after you know it works, enable it on other OUs containg the users you wish to shaft...



          Owner123\Domain Admins
          Created4/18/2007 1:53:08 PM
          Modified4/18/2007 4:16:00 PM
          User Revisions80 (AD), 80 (sysvol)
          Computer Revisions1 (AD), 1 (sysvol)
          Unique ID{87E2E5E3-5E26-49D6-B799-E1FD016B30D1}
          GPO StatusEnabled
          LocationEnforcedLink StatusPath
          Public PCs
    This list only includes links in the domain of the GPO.
    Security Filteringhide
    The settings in this GPO can only apply to the following groups, users, and 
          123\Domain Users
          NT AUTHORITY\Authenticated Users
    WMI Filteringhide
          WMI Filter NameNone
          DescriptionNot applicable
    These groups and users have the specified permission for this 
          GPONameAllowed PermissionsInherited
         123\Domain AdminsEdit settings, delete, modify securityNo
          123\Domain UsersRead (from Security Filtering)No
          123\Enterprise AdminsEdit settings, delete, modify securityNo
          NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
          NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
    Computer Configuration (Enabled)hide
    Administrative Templateshide
          Don't display the Getting Started welcome screen at logonEnabled
    User Configuration (Enabled)hide
    Administrative Templateshide
    Control Panelhide
          Hide specified Control Panel appletsEnabled
                      List of disallowed Control Panel applets
                      Printers and Faxes
          Prohibit access to the Control PanelEnabled
    Control Panel/Displayhide
          Hide Appearance and Themes tabEnabled
          Hide Desktop tabEnabled
          Hide Screen Saver tabEnabled
          Hide Settings tabEnabled
          Password protect the screen saverEnabled
          Prevent changing wallpaperEnabled
          Remove Display in Control PanelEnabled
          Do not add shares of recently opened documents to My Network PlacesEnabled
          Hide My Network Places icon on desktopEnabled
          Prevent adding, dragging, dropping and closing the Taskbar's 
          Prohibit adjusting desktop toolbarsEnabled
          Prohibit user from changing My Documents pathEnabled
          Remove My Computer icon on the desktopEnabled
          Remove My Documents icon on the desktopEnabled
          Remove Properties from the My Computer context menuEnabled
          Remove Properties from the My Documents context menuEnabled
          Remove Properties from the Recycle Bin context menuEnabled
          Remove Recycle Bin icon from desktopEnabled
          Remove the Desktop Cleanup WizardEnabled
    Desktop/Active Desktophide
          Active Desktop WallpaperDisabled
    Start Menu and Taskbarhide
          Add Logoff to the Start MenuDisabled
          Do not display any custom toolbars in the taskbarEnabled
          Do not keep history of recently opened documentsEnabled
          Force classic Start MenuEnabled
          Lock the TaskbarEnabled
          Prevent changes to Taskbar and Start Menu SettingsEnabled
          Remove access to the context menus for the taskbarEnabled
          Remove All Programs list from the Start menuEnabled
          Remove and prevent access to the Shut Down commandEnabled
          Remove Balloon Tips on Start Menu itemsEnabled
          Remove common program groups from Start MenuEnabled
          Remove Documents menu from Start MenuEnabled
          Remove Drag-and-drop context menus on the Start MenuEnabled
          Remove Favorites menu from Start MenuEnabled
          Remove frequent programs list from the Start MenuEnabled
          Remove Help menu from Start MenuEnabled
          Remove links and access to Windows UpdateEnabled
          Remove Logoff on the Start MenuEnabled
          Remove My Documents icon from Start MenuEnabled
          Remove My Music icon from Start MenuEnabled
          Remove My Network Places icon from Start MenuEnabled
          Remove My Pictures icon from Start MenuEnabled
          Remove Network Connections from Start MenuEnabled
          Remove pinned programs list from the Start MenuEnabled
          Remove programs on Settings menuEnabled
          Remove Run menu from Start MenuEnabled
          Remove Search menu from Start MenuEnabled
          Remove Set Program Access and Defaults from Start menuEnabled
          Remove user name from Start MenuEnabled
          Turn off notification area cleanupEnabled
          Turn off personalized menusEnabled
          Turn off user trackingEnabled
    System/Ctrl+Alt+Del Optionshide
          Remove Change PasswordEnabled
          Remove Lock ComputerEnabled
          Remove LogoffEnabled
          Remove Task ManagerEnabled
    Windows Components/Windows Explorerhide
          Remove Windows Explorer's default context menuEnabled
    Last edited by James Haynes; 2nd July 2007, 21:56.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...


    • #3
      Re: Desktop Lockdown

      I hope you find some of this useful but the bottom line is that I do not have a definitive answer for preventing renaming an icon. I can satisfy all your other objectives, so read on...

      Actually, this is harder than it should be - I'm not surprised you're getting eye strain. Unless anyone else has a brilliant solution, you could take a look at the Microsoft "Common Scenarios" GPOs which are a set of GPOs that provide for different levels of lockdown, some are very severe indeed. Instructions are here and the GPOs can be downloaded here and you have to install them by running the batch file "CreateCommonScenarios.cmd". This will create a tree of OUs with GPOs linked to those OUs. There is only one that I want you to look at, for the moment, called "CS - Highly Managed (User)" .

      If all you do is put a user in an organisatinal unit that is subjected to the "CS - Highly Managed (User)" GPO, you will see how restricted that user is. I do not need you to look at any other GPOs for the time being. Then you can play with the GPO which does the work and tweak it to your needs.

      Doing this showed me a lot about what can be done with GPOs and helped me to lockdown workstations.

      Those GPOs will help stop them making changes in the first place (eg. prevent right click on desktop - very useful), but I found it wasn't 100% in that a user can still rename an icon by pressing F2. Combine those GPOs with the "Can't save changes on exit" desktop policy (User config > Admin Templates > Desktop) and we are very very nearly there, because any changes they do make are discarded. And since the only change they can make is to rename an icon, that's less of a bugbear than you might think. Since users can't do much on their desktop, you will simply have to logon as Admin, then go to their "Desktop" folder and add shortcuts as you like - it's now getting very hard for them to mess with their desktop and even if they do, those changes get lost. Not too bad.

      You may also find this link to disable right-click on desktop useful.

      Warning!!! Carrying out any of the steps above can seriously damage user functionality to their PC. Always deploy and test this stuff on a virtual server/virtual pc, or one that is not in production before rolling anything like this out to your users.

      Like I said, not the best answer but I hope it helps a bit.
      Best wishes,
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008


      • #4
        Re: Desktop Lockdown

        Thanks guys,

        I didn't want to enable the "Don't Save Settings" on exit as then window locations are saved etc.

        Quite surprised such an obvious lockdown is not there, frankly if a user isn't an administrator of the PC they shouldn't be able to rename the default desktop icons! Almost a bug even.

        I suppose I'm going to have to set the policies to remove those icons and replace them with shortcut versions and either script a setting of read-only to their desktop on logon and unset on log off or redirect everyone's desktop to a central location, perhaps based on department.

        I've already applied extensive lockdowns, hidden the C drive, and configured the common open dialog to display MyDocs(which is redirected toZ drive), MyPics and their Z Drive and removed Desktop.

        These lockdowns are more for ease of management, prevention of user created problems, enforcing of settings (Office 2007 to use Office 2003 file formats, so other companies can open the files), and keeping a professional corporate image.

        Still bewildered with all the settings, they can mess with the names of the icons.
        On another note, I disabled every control panel and display tab except for Settings and Appearance, in case we need to be able to adjust the resolution or text size, but had to get ride of it completely because they could still click the Advanced button and change the background colour or colours of the window items.

        Quite frustrating getting the right configuration.


        • #5
          Re: Desktop Lockdown

          I hear you...
          I have an annoying issue on my public stations, that people delete the My Computer icon from the Desktop. Because of the Don't save settings on exit, it is back on after a logoff/logon, but it is still a pain in the ass!
          Couldn't find any solution so far...

          Sorin Solomon

          In order to succeed, your desire for success should be greater than your fear of failure.


          • #6
            Re: Desktop Lockdown

            Guys, I have found something interesting...

            The Recycle Bin icon does not have the rename or delete right-click context menu options. In addition, a staggered double left click does not permit renaiming.

            Also, if you are able to remove the Delete option from the context menu, highlighting and pressing the del key no longer deletes it.

            I found a tip on the internet that allows you to rename the recycle bin by adding the following registry entries, however the delete is not displayed:

            Another interesting tip is being able to alter the sorting layout
            ;Sorts My Computer Above My Documents
            The following ensures there is the Outlook icon on the desktop, however it has the rename and delete options.
            Now, the following are the desktop icons, and they are all under HKEY_CLASSES_ROOT\CLSID\
            {450D8FBA-AD25-11D0-98A8-0800361B1103} My Documents
            {20D04FE0-3AEA-1069-A2D8-08002B30309D} My Computer
            {208D2C60-3AEA-1069-A2D7-08002B30309D} Network Places
            {871C5380-42A0-1069-A2EA-08002B30309D} Internet Explorer
            {00020D75-0000-0000-C000-000000000046} Outlook

            These icons, do not have "Attributes" or "CallForAttributes" in the ShellFolder subkey.

            Using this information, it must be possible to configure values for Attributes and CallForAttributes that leaves the icons intact, but removes the rename and delete.

            Anyone work it out? I've done some playing, but the My Documents icon started opening a blank folder with Search enabled, fortunately I backed up that key and restored it again.

            Then I tried using the values for the tweak for Recycle Bin, and the delete option has gone for My Documents and it still appears to be working ok. This could be a real breakthrough in Desktop Lockdown, if I only I could work out the right value to hide rename as well.

            Doesn't work for My Computer or My Network Places though, still displaying both rename and delete.
            Last edited by AJStevens; 5th July 2007, 11:31.


            • #7
              Re: Desktop Lockdown

              Interesting direction...
              But being under Classes_Root, doesn't this editing applies to any user logged in to the machine?
              Last edited by sorinso; 5th July 2007, 12:45. Reason: typos

              Sorin Solomon

              In order to succeed, your desire for success should be greater than your fear of failure.


              • #8
                Re: Desktop Lockdown

                I believe Classes_Root is generated just like Current_User when someone is logged on.

                To apply it to all users, isn't that Classes Root under Local_Machine?


                • #9
                  Re: Desktop Lockdown

                  The following will lock the My Documents and Outlook Desktop icons from being renamed or deleted.

                  Windows Registry Editor Version 5.00
                  Unfortunately, My Computer and My Desktop Places icons remain unaffected by using the same values but in their keys.

                  Internet Explorer icon prevented being deleted, but not renamed, probably because it stores the Attributes as a DWORD instead of a BINARY like the others.
                  Last edited by AJStevens; 5th July 2007, 13:41.


                  • #10
                    Re: Desktop Lockdown

                    Hmmmm, I just showed that my signature is valid
                    Excerpt from Wikipedia:
                    Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, including associations from file extensions and OLE object class ids to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used
                    Duh !!

                    Sorin Solomon

                    In order to succeed, your desire for success should be greater than your fear of failure.


                    • #11
                      Re: Desktop Lockdown

                      That's ok.

                      I've tried various values for the Internet Explorer icon, but best I can do is remove the delete option, the rename remains.

                      As for My Computer and My Network Places, I don't think they pay any attention to Attributes and CallForAttributes since they don't have them by default.