Announcement

Collapse
No announcement yet.

Stop users saving to desktops - when using a mandatory desktop

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stop users saving to desktops - when using a mandatory desktop

    Hello all,

    I have been setting up a new policy with mandatory desktop settings. It is all working well. I have only one more thing that I would like to stop if at all possible.

    I know if a user saves to the desktop on the next logon it will be gone, to stop people loosing their work I would like to stop them being able to save there in the first place.

    I have searched on here and tried a few suggestions but have found it to be a bit of an issue that doesn't seem to have a working solution? Has anyone manged to stop users saving to the desktop when using a mandatory profile?

    I have looked here http://forums.petri.com/showthread.php?t=274 but it won't work for me as I get loads of permission errors.

    Has anyone got this to work?

    Best Regards,
    Simon
    Last edited by Si_Pe; 8th February 2007, 18:07.
    Kind Regards,
    Simon

  • #2
    Re: Stop users saving to desktops - when using a mandatory desktop

    Hi Simon,

    This is a really tricky one and I have to confess I have not tested this yet, so do please let me know how you get on:

    In GPO, navigate to User Configuration > Windows Settings > Administrative Templates > Desktop > Active Desktop
    Set Enable Active Desktop to Disabled
    Set prohibit adding items to Enabled
    Set prohibit changes to Enabled
    Set prohibit editing items to Enabled

    I do apologise if it doesn't work - I am not near a system to check it out until after the weekend. I obtained this info from an archive somehwere in the petri.co.il site - sorry can't find it now to give you a link but basically that's what it says.

    I'd be very interested if it worked!
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Stop users saving to desktops - when using a mandatory desktop

      Hi Paul,

      Thanks for your reply, i will give it a shot later on. I did look at this but it all sounded to easy after problems I have read that others were having.

      I have vpn access at home so I will try it in abit and let you know.

      Cheers
      Simon
      Kind Regards,
      Simon

      Comment


      • #4
        Re: Stop users saving to desktops - when using a mandatory desktop

        Originally posted by PaulH View Post
        Hi Simon,

        This is a really tricky one and I have to confess I have not tested this yet, so do please let me know how you get on:

        In GPO, navigate to User Configuration > Windows Settings > Administrative Templates > Desktop > Active Desktop
        Set Enable Active Desktop to Disabled
        Set prohibit adding items to Enabled
        Set prohibit changes to Enabled
        Set prohibit editing items to Enabled

        I do apologise if it doesn't work - I am not near a system to check it out until after the weekend. I obtained this info from an archive somehwere in the petri.co.il site - sorry can't find it now to give you a link but basically that's what it says.

        I'd be very interested if it worked!
        Hello,

        Just tried it now and I can still save to the desktop. Worth a shot though thanks.

        Any other suggestions? Maybe change the permissons on the logon script after the policy has loaded?

        Cheers
        Kind Regards,
        Simon

        Comment


        • #5
          Re: Stop users saving to desktops - when using a mandatory desktop

          How about something old school where you change the ACLs on the user's Desktop directory in their profile to read-only via XCACLS and a logon script?

          Not elegant but it will work.
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Re: Stop users saving to desktops - when using a mandatory desktop

            Originally posted by rvalstar View Post
            How about something old school where you change the ACLs on the user's Desktop directory in their profile to read-only via XCACLS and a logon script?

            Not elegant but it will work.
            Sounds good to me, how do I do that?

            never done that before?

            Many thanks
            Simon
            Kind Regards,
            Simon

            Comment


            • #7
              Re: Stop users saving to desktops - when using a mandatory desktop

              Are you running logon scripts currently and, if so, CMD or VBS or ???
              Cheers,

              Rick

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

              Comment


              • #8
                Re: Stop users saving to desktops - when using a mandatory desktop

                Originally posted by rvalstar View Post
                Are you running logon scripts currently and, if so, CMD or VBS or ???
                Hi,

                Cmd logon at the mo. In 2000 advance server.
                Kind Regards,
                Simon

                Comment


                • #9
                  Re: Stop users saving to desktops - when using a mandatory desktop

                  First, I believe you can find XCACLS.EXE in the Support Tools on your W2K Disk.

                  Let's imagine the Desktop directory is located at %USERPROFILE%\Desktop

                  Open a CMD box and:

                  Do a DIR "%USERPROFILE%\Desktop" to verify location.

                  Do an XCACLS "%USERPROFILE%\Desktop" on a representative account to see what the permissions are.

                  For my local administrator account on %COMPUTERNAME%:

                  C:\Documents and Settings\Administrator\Desktop
                  %COMPUTERNAME%\Administrator:F
                  %COMPUTERNAME%\Administrator: (OI)(CI)(IO)F
                  NT AUTHORITY\SYSTEM:F
                  NT AUTHORITY\SYSTEM: (OI)(CI)(IO)F
                  BUILTIN\Administrators:F
                  BUILTIN\Administrators: (OI)(CI)(IO)F
                  For a my domain user account %USERNAME% on domain %USERDOMAIN%:

                  C:\Documents and Settings\%USERNAME%\Desktop
                  %USERDOMAIN%\%USERNAME%:F
                  %USERDOMAIN%\%USERNAME%: (OI)(CI)(IO)F
                  NT AUTHORITY\SYSTEM:F
                  NT AUTHORITY\SYSTEM: (OI)(CI)(IO)F
                  BUILTIN\Administrators:F
                  BUILTIN\Administrators: (OI)(CI)(IO)F
                  Now when logging on to a local account, USERDOMAIN = COMPUTERNAME so we can use the environment variables in the last example for both cases.

                  That stuff in parens, here's what it means:

                  (OI) means Object Inheritance -- This permission is defined directly on this object
                  (CI) means Child Inheritance -- This permission is inherited by child objects
                  (IO) means Inherit Only -- Apply onto Subfolders and files only
                  (NP) means No Propagation -- Apply these permissions to objects and/or containers within this container only
                  Since the perms are inherited, we need to replace them, not edit them. I really don't want to mess w/ the Deny switch as I don't believe it will come out well.

                  So all we really need to do is give %USERDOMAIN%\%USERNAME% "R" and SYSTEM, ADMINISTRATORS "F" at the Desktop directory:

                  XCACLS "%USERPROFILE%\Desktop" /T /C /P %USERDOMAIN%\%USERNAME%:R SYSTEM:F Administrators:F /Y > nul
                  This will replace the permissions on the shortcuts in .\Desktop too.
                  Last edited by rvalstar; 9th February 2007, 11:38. Reason: Oops forgot the /T switch
                  Cheers,

                  Rick

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                  Comment


                  • #10
                    Re: Stop users saving to desktops - when using a mandatory desktop

                    Originally posted by rvalstar View Post
                    First, I believe you can find XCACLS.EXE in the Support Tools on your W2K Disk.

                    Let's imagine the Desktop directory is located at %USERPROFILE%\Desktop

                    Open a CMD box and:

                    Do a DIR "%USERPROFILE%\Desktop" to verify location.

                    Do an XCACLS "%USERPROFILE%\Desktop" on a representative account to see what the permissions are.

                    For my local administrator account on %COMPUTERNAME%:



                    For a my domain user account %USERNAME% on domain %USERDOMAIN%:



                    Now when logging on to a local account, USERDOMAIN = COMPUTERNAME so we can use the environment variables in the last example for both cases.

                    That stuff in parens, here's what it means:



                    Since the perms are inherited, we need to replace them, not edit them. I really don't want to mess w/ the Deny switch as I don't believe it will come out well.

                    So all we really need to do is give %USERDOMAIN%\%USERNAME% "R" and SYSTEM, ADMINISTRATORS "F" at the Desktop directory:



                    This will replace the permissions on the shortcuts in .\Desktop too.
                    Hi,

                    Thanks very much for your detailed reply!! I will let you know how I get on!

                    Thanks
                    Simon
                    Kind Regards,
                    Simon

                    Comment


                    • #11
                      Re: Stop users saving to desktops - when using a mandatory desktop

                      Originally posted by rvalstar View Post
                      First, I believe you can find XCACLS.EXE in the Support Tools on your W2K Disk.

                      Let's imagine the Desktop directory is located at %USERPROFILE%\Desktop

                      Open a CMD box and:

                      Do a DIR "%USERPROFILE%\Desktop" to verify location.

                      Do an XCACLS "%USERPROFILE%\Desktop" on a representative account to see what the permissions are.

                      For my local administrator account on %COMPUTERNAME%:



                      For a my domain user account %USERNAME% on domain %USERDOMAIN%:



                      Now when logging on to a local account, USERDOMAIN = COMPUTERNAME so we can use the environment variables in the last example for both cases.

                      That stuff in parens, here's what it means:



                      Since the perms are inherited, we need to replace them, not edit them. I really don't want to mess w/ the Deny switch as I don't believe it will come out well.

                      So all we really need to do is give %USERDOMAIN%\%USERNAME% "R" and SYSTEM, ADMINISTRATORS "F" at the Desktop directory:



                      This will replace the permissions on the shortcuts in .\Desktop too.

                      Hi,

                      Thanks for this, it has worked well.

                      Cheers!
                      Kind Regards,
                      Simon

                      Comment


                      • #12
                        Re: Stop users saving to desktops - when using a mandatory desktop

                        Hope it works. You may also want to see who has ownership of .\Desktop and the shortcuts. If it is the user, they may be able to grant permissions back if they know how.

                        You can experiment with TAKEOWN in the W2K Resource Kit BUT you'll have to be logging in as an administrator to grant ownership to the Administrators group so this will not work without complications running as a normal user from the logon script.

                        You could hope no one hacks the logon.cmd to see the password included as an argument, put it in a startup script which AFAIK runs as SYSTEM, see if you can set it at the server if using roaming profiles, or you can try RUNAS as Sorin describes here:

                        http://forums.petri.com/showthread.p...ighlight=runas

                        TAKEOWN Syntax:

                        http://technet2.microsoft.com/Window....mspx?mfr=true

                        TAKEOWN download:

                        http://www.petri.co.il/download_free_reskit_tools.htm
                        Cheers,

                        Rick

                        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                        Comment


                        • #13
                          Re: Stop users saving to desktops - when using a mandatory desktop

                          Originally posted by rvalstar View Post
                          Hope it works. You may also want to see who has ownership of .\Desktop and the shortcuts. If it is the user, they may be able to grant permissions back if they know how.

                          You can experiment with TAKEOWN in the W2K Resource Kit BUT you'll have to be logging in as an administrator to grant ownership to the Administrators group so this will not work without complications running as a normal user from the logon script.

                          You could hope no one hacks the logon.cmd to see the password included as an argument, put it in a startup script which AFAIK runs as SYSTEM, see if you can set it at the server if using roaming profiles, or you can try RUNAS as Sorin describes here:

                          http://forums.petri.com/showthread.p...ighlight=runas

                          TAKEOWN Syntax:

                          http://technet2.microsoft.com/Window....mspx?mfr=true

                          TAKEOWN download:

                          http://www.petri.co.il/download_free_reskit_tools.htm
                          Thanks for your help with this,

                          I have had to setup a logoff script to set the permissions back as we were getting access denied when loggin on for the second time as that user couldn't load the desktop.

                          Have you have much use of logoff scripts?

                          Thanks
                          Simon
                          Kind Regards,
                          Simon

                          Comment


                          • #14
                            Re: Stop users saving to desktops - when using a mandatory desktop

                            Just to let you know that the logon script changes the permissions perfectly and the logoff script also sets them back to normal!

                            Another excellent solution!


                            Thanks very much!
                            Simon
                            Kind Regards,
                            Simon

                            Comment


                            • #15
                              Re: Stop users saving to desktops - when using a mandatory desktop

                              Access denied because of roaming profiles and the .\Desktop directory can't be replaced?

                              I haven't used a logoff script but it can't be too hard. I'm wondering if it runs should you shutdown?

                              And if the logoff script fails, you are in the same boat.

                              You just don't want them to be able to create shortcuts or put documents on the desktop as they will be lost next time around, correct?

                              Set the permissions back to default, manually deny the user create permissions in the Advanced take, and see if a logoff / logon works. If it does, we can look at what it takes to implement denying that one permission only.

                              Otherwsie we can look at a logoff script.

                              Or maybe another idea will come up?
                              Cheers,

                              Rick

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                              Comment

                              Working...
                              X