How to lock user desktop?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a GPO to prevent users from saving anything (links, docs, shortcuts)
to the desktop? All I could find is a way to hide desktop icons, prevent
saving in the taskbar, etc.

I see a way to do this with mandatory profiles, but would like to go the
easier route of a GPO.

Thanks.
 
Howdy Steve!
Is there a GPO to prevent users from saving anything (links, docs, shortcuts)
to the desktop? All I could find is a way to hide desktop icons, prevent
saving in the taskbar, etc.
Click to expand...

What about using the group policy filesystem-settings in CompConf\Window
s Settings\Security Settings\File System ? You can add a "rule" and deny
your users the "Write" and "Modify" permissions...

cheers,

Florian
 
I've not used this GPO item before - the only option I have is to add file.
What kind of file is it expecting to add so that I can try this?

Thanks.
 
Howdy Steve!
I've not used this GPO item before - the only option I have is to add file.
What kind of file is it expecting to add so that I can try this?
Click to expand...

It's quite simple. The "file to add" is the "Desktop"-folder as you wish
to set permissions on that. So you need to "add" the Desktop folder and
click "OK". The editor will then open the known "Security" dialog where
you can change NTFS permissions.

If you haven't done this before, you might want to create a test-OU with
test-users and a test-computer and try this GP on them...

cheers,

Florian
 
Would I select the "documents & settings\all users\desktop" folder from my
local machine and then adjust permissions for all authenticated users for
read only & list?

Thanks.
 
Howdy Steve!
Would I select the "documents & settings\all users\desktop" folder from my
local machine and then adjust permissions for all authenticated users for
read only & list?
Click to expand...

In order to restrict the permission for all _new_ users on the machine,
you will have to choose the "Documents and Settings\Default
User\Desktop" folder. But as I saw right now, this will not affect
existing profiles on the computers. So, you'd need to change the
existing profiles' permissions manually with a tool like subinacl.exe
(http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)

Sorry...

cheers,

Florian
 
You may want to consider using a mandatory roaming profile instead of
local profiles

-Evan
 
Back
Top