How to lock user desktop?

Discussion in 'Microsoft Windows 2000 Group Policy' started by Guest, Oct 3, 2006.

  1. Guest

    Guest Guest

    Is there a GPO to prevent users from saving anything (links, docs, shortcuts)
    to the desktop? All I could find is a way to hide desktop icons, prevent
    saving in the taskbar, etc.

    I see a way to do this with mandatory profiles, but would like to go the
    easier route of a GPO.

    Thanks.
     
    Guest, Oct 3, 2006
    #1
    1. Advertisements

  2. Howdy Steve!

    SteveW wrote:
    > Is there a GPO to prevent users from saving anything (links, docs, shortcuts)
    > to the desktop? All I could find is a way to hide desktop icons, prevent
    > saving in the taskbar, etc.


    What about using the group policy filesystem-settings in CompConf\Window
    s Settings\Security Settings\File System ? You can add a "rule" and deny
    your users the "Write" and "Modify" permissions...

    cheers,

    Florian
    --
    Nachwuschsadmin aus dem Süddeutschen/Germany.
    eMail: Vorname [bei] frickelsoft [Punkt] net.
     
    Florian Frommherz, Oct 4, 2006
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    I've not used this GPO item before - the only option I have is to add file.
    What kind of file is it expecting to add so that I can try this?

    Thanks.

    "Florian Frommherz" wrote:

    > Howdy Steve!
    >
    > SteveW wrote:
    > > Is there a GPO to prevent users from saving anything (links, docs, shortcuts)
    > > to the desktop? All I could find is a way to hide desktop icons, prevent
    > > saving in the taskbar, etc.

    >
    > What about using the group policy filesystem-settings in CompConf\Window
    > s Settings\Security Settings\File System ? You can add a "rule" and deny
    > your users the "Write" and "Modify" permissions...
    >
    > cheers,
    >
    > Florian
    > --
    > Nachwuschsadmin aus dem Süddeutschen/Germany.
    > eMail: Vorname [bei] frickelsoft [Punkt] net.
    >
     
    Guest, Oct 4, 2006
    #3
  4. Howdy Steve!

    SteveW wrote:
    > I've not used this GPO item before - the only option I have is to add file.
    > What kind of file is it expecting to add so that I can try this?


    It's quite simple. The "file to add" is the "Desktop"-folder as you wish
    to set permissions on that. So you need to "add" the Desktop folder and
    click "OK". The editor will then open the known "Security" dialog where
    you can change NTFS permissions.

    If you haven't done this before, you might want to create a test-OU with
    test-users and a test-computer and try this GP on them...

    cheers,

    Florian
    --
    Nachwuschsadmin aus dem Süddeutschen/Germany.
    eMail: Vorname [bei] frickelsoft [Punkt] net.
     
    Florian Frommherz, Oct 4, 2006
    #4
  5. Guest

    Guest Guest

    Would I select the "documents & settings\all users\desktop" folder from my
    local machine and then adjust permissions for all authenticated users for
    read only & list?

    Thanks.

    "Florian Frommherz" wrote:

    > Howdy Steve!
    >
    > SteveW wrote:
    > > I've not used this GPO item before - the only option I have is to add file.
    > > What kind of file is it expecting to add so that I can try this?

    >
    > It's quite simple. The "file to add" is the "Desktop"-folder as you wish
    > to set permissions on that. So you need to "add" the Desktop folder and
    > click "OK". The editor will then open the known "Security" dialog where
    > you can change NTFS permissions.
    >
    > If you haven't done this before, you might want to create a test-OU with
    > test-users and a test-computer and try this GP on them...
    >
    > cheers,
    >
    > Florian
    > --
    > Nachwuschsadmin aus dem Süddeutschen/Germany.
    > eMail: Vorname [bei] frickelsoft [Punkt] net.
    >
     
    Guest, Oct 4, 2006
    #5
  6. Howdy Steve!

    SteveW wrote:
    > Would I select the "documents & settings\all users\desktop" folder from my
    > local machine and then adjust permissions for all authenticated users for
    > read only & list?


    In order to restrict the permission for all _new_ users on the machine,
    you will have to choose the "Documents and Settings\Default
    User\Desktop" folder. But as I saw right now, this will not affect
    existing profiles on the computers. So, you'd need to change the
    existing profiles' permissions manually with a tool like subinacl.exe
    (http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)

    Sorry...

    cheers,

    Florian
    --
    Nachwuschsadmin aus dem Süddeutschen/Germany.
    eMail: Vorname [bei] frickelsoft [Punkt] net.
     
    Florian Frommherz, Oct 4, 2006
    #6
  7. Guest

    Evan Guest

    You may want to consider using a mandatory roaming profile instead of
    local profiles

    -Evan


    "SteveW" <> wrote in message
    news:...
    > Is there a GPO to prevent users from saving anything (links, docs,
    > shortcuts)
    > to the desktop? All I could find is a way to hide desktop icons, prevent
    > saving in the taskbar, etc.
    >
    > I see a way to do this with mandatory profiles, but would like to go the
    > easier route of a GPO.
    >
    > Thanks.
     
    Evan, Oct 8, 2006
    #7
  8. Guest

    MPerrault Guest

    You can try to use a third party application app like scriptlogic's
    desktop authority.

    http://www.scriptlogic.com/products/desktopauthority/

    It solves many problems acocited with roaming profiles.

    Michael P. Perrault
    MCSE, CCNA, A+, MBA
    Senior Systems Engineer,
    ScriptLogic Corporation


    www.scriptlogic.com




    On Oct 7, 8:11 pm, "Evan" <> wrote:
    > You may want to consider using a mandatoryroamingprofile instead of
    > localprofiles
    >
    > -Evan
    >
    > "SteveW" <> wrote in messagenews:...
    >
    >
    >
    > > Is there a GPO to prevent users from saving anything (links, docs,
    > > shortcuts)
    > > to the desktop? All I could find is a way to hide desktop icons, prevent
    > > saving in the taskbar, etc.

    >
    > > I see a way to do this with mandatoryprofiles, but would like to go the
    > > easier route of a GPO.

    >
    > > Thanks.- Hide quoted text -- Show quoted text -
     
    MPerrault, Oct 8, 2006
    #8
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joshua Mozdzier

    automatic desktop lock feature

    Joshua Mozdzier, Jul 29, 2003, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    793
    Hindy
    Jul 29, 2003
  2. Svein E Jensen

    Re: Are there anyway to lock the login to one login Per User!

    Svein E Jensen, Aug 22, 2003, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    0
    Views:
    222
    Svein E Jensen
    Aug 22, 2003
  3. Jimmy Andersson

    Re: Are there anyway to lock the login to one login Per User!

    Jimmy Andersson, Aug 22, 2003, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    218
    Svein E Jensen
    Aug 25, 2003
  4. Chris

    Is there a way to lock down a user on w2k

    Chris, Jan 23, 2004, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    174
    Chriss3
    Jan 23, 2004
  5. el

    lock user to access the Internet

    el, Nov 4, 2004, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    4
    Views:
    282
    Cary Shultz [A.D. MVP]
    Nov 9, 2004
Loading...

Share This Page