we have laptops that we give to users, but we don't want them to save
anything or install anything anywhere on the laptop. if the laptop gets
stolen we don't want anybody accessing any saved files. these laptops are
part of the domain (but i've tried this after removing the laptop from the
domain), so when they log in at the office they can use redirected
MyDocuments folder, but the policy uses a proxy server, so when they take it
home they have to use a local user account.
we have provided secure flashdrives for people to use to save files.
i' ve set the group policies to hide and restrict access to local drives
abcd. i've set the common dialog box policy to only show the e drive for the
flash (but the desktop still shows as the first thing in the drive list).

msoffice and even notepad still allow saving to the desktop. how is that
possible with the drive restrictions?

i've tried to use delprof.exe in a shutdown/logoff script to delete profiles
on logoff or shutdown with the /q /i /d:0 options, but profiles still exist.
i've tried using the runas command in the script with a local administrator
account (not administrator, and an account that has never been logged on) and
even as 'nt authority\system' but it just appears to hang for a minute or
five before the computer shuts down and doesn't delete the profiles. if i try
to use it as a logon script the computer takes too long to boot and i get
group policy timeout/load errors in the logs.
i'm running XPSP3.

so how can i delete profiles or files so our system isn't compromised?

one simpler trick i tried that seems to work is running a logoff script that
has the command 'del /q "c:\documents and settings\%username%\desktop\*.*"'
(or "%userprofile%\desktop\*.*")as all the other apps and icons that should
be on the desktop are either in the Default or AllUsers profiles, but i'm
looking for a better solution if possible.

any answers? is there a solution?

and while i'm at it, is there a way to exempt certain users or groups from
local group policies?

This is what my company uses for all 33, 000 laptops:

http://www.checkpoint.com/products/d.../pc/index.html

It's a pain in the neck but secure enough

--
SPAMCOP User

"headbasher" <(E-Mail Removed)> wrote in message
news:67C56610-BF7A-425D-A9A9-(E-Mail Removed)...
> we have laptops that we give to users, but we don't want them to save
> anything or install anything anywhere on the laptop. if the laptop gets
> stolen we don't want anybody accessing any saved files. these laptops are
> part of the domain (but i've tried this after removing the laptop from the
> domain), so when they log in at the office they can use redirected
> MyDocuments folder, but the policy uses a proxy server, so when they take
> it
> home they have to use a local user account.
> we have provided secure flashdrives for people to use to save files.
> i' ve set the group policies to hide and restrict access to local drives
> abcd. i've set the common dialog box policy to only show the e drive for
> the
> flash (but the desktop still shows as the first thing in the drive list).
>
> msoffice and even notepad still allow saving to the desktop. how is that
> possible with the drive restrictions?
>
> i've tried to use delprof.exe in a shutdown/logoff script to delete
> profiles
> on logoff or shutdown with the /q /i /d:0 options, but profiles still
> exist.
> i've tried using the runas command in the script with a local
> administrator
> account (not administrator, and an account that has never been logged on)
> and
> even as 'nt authority\system' but it just appears to hang for a minute or
> five before the computer shuts down and doesn't delete the profiles. if i
> try
> to use it as a logon script the computer takes too long to boot and i get
> group policy timeout/load errors in the logs.
> i'm running XPSP3.
>
> so how can i delete profiles or files so our system isn't compromised?
>
> one simpler trick i tried that seems to work is running a logoff script
> that
> has the command 'del /q "c:\documents and
> settings\%username%\desktop\*.*"'
> (or "%userprofile%\desktop\*.*")as all the other apps and icons that
> should
> be on the desktop are either in the Default or AllUsers profiles, but i'm
> looking for a better solution if possible.
>
> any answers? is there a solution?
>
> and while i'm at it, is there a way to exempt certain users or groups from
> local group policies?
>