prevent users from saving to local profile

  • Thread starter Thread starter tony
  • Start date Start date
T

tony

I am using document, desktop, application, start menu redirection. for all
users however the user can still navigate to
their own profile under the local machine

c:\Documents and Settings\Username and save stuff there.

what do I have to do to restrict them from writing to this profile?

I really dont want them to create any local profile on the local machine as
these are lab machines and dont want them to be
cluttered with stuff.
 
tony said:
I am using document, desktop, application, start menu
redirection. for all
users however the user can still navigate to
their own profile under the local machine

c:Documents and SettingsUsername and save stuff there.

what do I have to do to restrict them from writing to this
profile?

I really dont want them to create any local profile on the
local machine as
these are lab machines and dont want them to be
cluttered with stuff.
Click to expand...

Hi,

First of all, Hide Drives in My Computer Group Policy will stop the
navigation. There is no way to prevent the profile downloading as the
OS is built that way. There are, however, ways to have the profile
deleted on logoff. It works "most" of the time so I also have a
startup script that cleans out everything in the C:\Documents and
Settings except the Default and All Users.

1> Group Policy done on COMPUTER OU (not at the Domain GP).
Computer Config- Windows Settings - Security Settings - Local Policies
- Security Options - "Interactive Logon: Number of previous logons to
cache = 0

2> This setting can be done on Domain GP.
Computer Config - Admin Templates - System - User Profiles - "Delete
cached copies of roaming profiles" = Enabled.

Batch file I use as a startup script on my Computers (In group policy)


<start script>

@echo off
pushd "C:\Documents and Settings"

set Exempt=*Administrator* *All Users* *Default User* *LocalService*
*NetworkService*
for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
rmdir /s /q "%%a"
popd

<end script>

Cheers,

Lara
 
tony said:
what kind of script format? .bat? I tried running it and gives
me syntax is
incorrect

&nbsp;> > I am using document, desktop, application, start
menu
&nbsp;> > redirection. for all
&nbsp;> > users however the user can still navigate to
&nbsp;> > their own profile under the local machine
&nbsp;> >
&nbsp;> > c:Documents and SettingsUsername and save stuff
there.
&nbsp;> >
&nbsp;> > what do I have to do to restrict them from writing
to this
&nbsp;> > profile?
&nbsp;> >
&nbsp;> > I really dont want them to create any local profile
on the
&nbsp;> > local machine as
&nbsp;> > these are lab machines and dont want them to be
&nbsp;> > cluttered with stuff.
Click to expand...

Hi,

Yes it is a batch file. It may be that the line returns you are off.
The set Exempt is all one line. The Next line starts with "for /d"
and continues with the rmdir (all on the one line). The last line is
popd. Total is 5 lines (not including spaces or blank lines).

<start script>

@echo off
pushd "C:\Documents and Settings"

set Exempt=*Administrator* *All Users* *Default User* *LocalService*
*NetworkService*
for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
rmdir /s /q "%%a"
popd

<end script>
 
Be aware that "hiding" the drive letter does not "stop navigation", it
merely stops it displaying inWindows Explorer by default.

Anyone can still navigate anywhere on the "hidden" drive by:

1. Start, Run, key c:\ press Enter
2. open Windows Explorer, key c:\ in the Address bar; press Enter

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Anyone can still navigate anywhere on the "hidden" drive by:
1. Start, Run, key c:\ press Enter
2. open Windows Explorer, key c:\ in the Address bar; press Enter
Click to expand...

Actually no. When you Hide Drives in My Computer and you put C:\ in
the address bar it says you are restricted from viewing C:\ Certain
apps may "open" a folder in drive C:\ but then if they navigate
away it disappears.

My users don’t have access to the run command with GP so that is easy
to do and I haven’t tested it there.

Cheers,
Lara
 
Well, Lara, please don't take offence, but my experience seems to be
different from yours or perhaps we are not talking about the same thing.

Using Loopback Processing, on our Windows 2003 Terminal Servers, we have
this setting via GPO for all users except Administrators (suppressed for
Administrators by Security Filtering):

User Configuration:
Administrative Templates
Windows Components
Windows Explorer
Hide these specified drives in My Computer: Enabled: Restrict A,
B, C, D, E and F drives only (uses a custom ADM to get this set)

I've also used this on Windows XP workstations.

When a user (other than an Administrator) logs on and opens Windows
Explorer, none of these drives show inside My Computer - neither in the tree
view in the left pane, nor the right pane.

However, if such a user keys c:\ in the Windows Explorer Address Bar and
presses Enter, the C drive is added to the left pane and the contents show
in the right pane.

Now, if the Windows Explorer, Tools, Folder Options, View, there is no check
mark in "Display the contents of system folders", the user will get the
message "These files are hidden" in the right pane if the root of the C
drive or the c:\windows folder is selected. However, the user can still
view the contents of other folders to which they have been granted at least
List or Read permission. The "Display the contents of system folders"
setting can be change by the user at any time.

There is another setting in the same GPO Administrative Templates Category
called "Prevent access to drives from My Computer" which may produce the
behaviour you describe (I haven't experimented with that setting).
 
Well, Lara, please don’t take offence, but my experience seems
to be different from yours or perhaps we are not talking about the
same thing. Using Loopback Processing, on our Windows 2003 Terminal
Servers, we have this setting via GPO for all users except
Administrators (suppressed for Administrators by Security Filtering.
Click to expand...

Hi Bruce,

No offence of course. I am not sure why yours doesn’t seem to be
working properly. However, I use neither Terminal Services, Loopback
Processing(except for scripts) nor Security Filtering on my GPO’s so
that may have something to do with it.

I have 2400 Users. On their Parent OU I have a Group Policy. I also
modified the system.adm for Hide these specified drives in My
Computer: Enabled: Restrict C, D, O and R drives only.

When any of my users logs on and puts in C:\ in My Computer, it says
""Access to the resource c:\ has been disallowed"". I just did
it now to be sure. It also says it for D, O and R.

I don’t use the "restrict access" GP setting because it doesn’t
allow the programs to run.

I am running Windows 2000 SP3 and Windows XP SP2 workstations.

The only time the computer will show "C:" is if a Program defaults
to opening a folder on C:\ however, once they navigate away from the
folder it disappears.

Maybe it has something to do with Terminal Services. We haven’t ever
had a problem even back with Windows 2000 before the service packs.
My users try anything to access files/software they aren’t allowed to
so I have to be extra careful to test test and test again.

Cheers,

Lara
 
Hmm a mystery. When I get a chance, I'll do some more tests on the very
small domain I have at home to see if I can get to the bottom of this
difference in behaviour.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top