Protecting the 'All Users' Start Menu

[Guest]

All

We use the All Users Start Menu for Office shortcuts but we need to
leave the ability for users to create shortcuts so we can't disable the
right click. At the same time we want to stop users from dragging Office
shortcuts onto their desktops leaving other users unable to use Office.

I found the GPO setting to 'Disable drag and drop' but that disables the
right click function as well.

Is there a method to allow users to right click shortcuts on the Start
Menu but not allow them to drag shortcuts off it?

thanks for any help with this

regards

 

[Randy Reimers]

Set it that it is read-only - or change the rights so that normal users can
only read - not modify or delete. Of course, if the "normal" user is a
member of the local "Administrators" group - good luck.

Randy Reimers

 

[Guest]

"Users" should not be able to modify files in the "All Users" profile by
default (should have Read & Execute only). Either permissions have been
modified on that folder or your users are Administrators.

 

[Guest]

"Users" should not be able to modify files in the "All Users" profile by
default (should have Read & Execute only). Either permissions have been
modified on that folder or your users are Administrators.

:

The users are Power Users and none of them are Administrators. As far as
I know no rights have been modified on the image but I didn't create
them. I will check tomorrow and if they have been changed I will have to
make the change.

Thanks for the replies

 

[Cary Shultz]

This might not help....but this is what I normally do.

I like to create the 'stuff' that I want to be available to everyone in the
default users profile. This way, if someone deletes something it does not
affect everyone else. However, this is simply part of your situation and
does not really answer the question. The permissions would be where I would
start. Also, as aptly stated, if your domain user account objects are
member of the local Administrators group on the computers then there is
really nothing that you can do.....other than threaten them with bodily
harm....and if you do not want to do that I can be your muscle! ;-)

Think about the default user thing.....it might be of interest. But the
permissions thing is the true answer.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[kj]

Power users have default permissions sufficient to alter ALL Users. You'll
need to either change the permissions or get 'em out of Power Users, or
both.

 

[Guest]

Power users have default permissions sufficient to alter ALL Users. You'll
need to either change the permissions or get 'em out of Power Users, or
both.

I checked last night at home and the modify permission is granted for
Power Users so I will have to change that.


cheers

 

[Guest]

This might not help....but this is what I normally do.

I like to create the 'stuff' that I want to be available to everyone in the
default users profile. This way, if someone deletes something it does not
affect everyone else. However, this is simply part of your situation and
does not really answer the question. The permissions would be where I would
start. Also, as aptly stated, if your domain user account objects are
member of the local Administrators group on the computers then there is
really nothing that you can do.....other than threaten them with bodily
harm....and if you do not want to do that I can be your muscle! ;-)

Think about the default user thing.....it might be of interest. But the
permissions thing is the true answer.

The only problem with the Deafult User thing at this point is that most
people who log onto the machines have already done so and we don't want
to delete profiles on a few thousand boxes. I'm not sure why our users
are Power Users but will get the answer to that today.

thanks for the reply

 

[Cary Shultz]

Yeah, that is very true. If userA has already logged on then he/she
already has a profile on that machine ( created from the default user,
usually ) and my suggestion will not do you much good! But, that is why I
stated that it might not help. It is really good if you use it right from
the start, though!

I would focus on the permissions thing. Well, the true 'problem' is why the
domain user account objects are members of the local Power Users group. As
I am sure that you know, the Domain Users is, by default, a member of the
local Users group on each PC. And, by default, each user account object
that is created is a member of the Domain Users group. However, that is
usually not sufficient ( before any jumps down my throat for this....have
patience, I will explain what I mean ). The Power Users group does afford
more 'access'. Some applications require access to parts of the registry or
directory structure that the Users group doe not afford ( but the Power
Users does ). And there are a lot of older applications that often require
that the user be a member of the local Administrators group. So, possibly
this plays a role in that? If that is the case then what I might consider
is looking at regmon and filemon from Sysinternals (
http://www.sysinternals.com ) and use both of them to determine what access
is need to what key ( or folder ) and go from there! So, if the software
installation 'problem' is the reason why then maybe you have something here!

Another thing does jump to mind in reference to the Power Users group: you
typically have to be a member of this local group to add printers. Could
that be the reason? a part of the reason?

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)