Local Group Policy to lockdown saved files on Desktop & My Documents

[tractng]

Guys,

I am using the gpedit.msc (locally) to lock down our terminal server
2003.

I have removed "My Document" from the desktop. But when a user opens a
doc and save as, he/she still can save it to it. How can I remove/hide
it?


Also, how do I disable saving to the desktop? Do I have to turn on
Active Desktop in order to do it?


I don't see any of these features on the GP.

Thanks ahead.

Tony

 

[Steven L Umbach]

Removing my documents from the desktop simply removes the shortcut to the My
Documents folder. To prevent a user from saving to the desktop or their My
Documents folder you need to modify the NTFS permissions in their user
profile so that they do not have write permissions for either My Documents
or the desktop folder. --- Steve

 

[tractng]

Steven,

So I can do this to a template user and copy it to the default user
like I have been doing without have any conflict?

Any user who logs in will inherit the same settings ( i know in fact ,
but just wants confirmation -hehe)?

Thanks,

 

[tractng]

I am talking about making it affect on all the users, not just one
user.

I tried using ntfs (on default user and all user) to limit on my
documents and desktop by removing all the rights and leaving read, list
folder contents, and read & execute. When a new user logs in, it
doesn't apply.

Tony

 

[Steven L Umbach]

Yes that would be expected as the operating system assigns permissions to
each newly created profile. What you could do is to create a Group Policy
"logon" script using the cacls command and the %username% variable in the
path to the user profile. Then when the user logs on the permissions would
be changed though as long as the user is the owner of a folder they still
could change permissions if they knew how to. You can use cacls /? to see
syntax of the cacls command and usually you want to use the /E switch to
edit rather than replace current permissions. --- Steve