After a bit of experimentations, with Read NTFS permission granted to
authenticated users on Documents and Settings\All Users\Desktop, no read
NTFS permission for all but one shortcut under this desktop, I could now get
the restricted users to get only My Computer, Recycle Bin and that only
shortcut under desktop.
But everytime, the restricted user logs on, he/she get the following
warning:
This operation has been cancelled due to restrictions in effect on this
computer. Please contact your system administrator.
Any ideas what could be causing this?
Note I also have Hide all drives from my computer enabled (but relaxing this
to allow access makes no difference).
To be more precise, I have the following:
Computer Configuration-
Administrative Templates
->Network->Offline files
Enabled Disabled
Disable user configuration of Offline Files Enabled
Synchronize all offline files before logging off Disabled
Default cache size Not configured
Action on server disconnect Not configured
Non-default server disconnect actions Not configured
Disable 'Make Available Offline' Not configured
Prevent use of Offline Files folder Enabled
Files not cached Not configured
Administratively assigned offline files Not configured
Disable reminder balloons Not configured
Reminder balloon frequency Not configured
Initial reminder balloon lifetime Not configured
Reminder balloon lifetime Not configured
At logoff, delete local copy of user's offline files Not configured
Event logging level Not configured
Subfolders always available offline Not configured
->Printers:
Allow printers to be published Disabled
Automatically publish new printers in Active Directory Disabled
Allow pruning of published printers Disabled
Printer browsing Disabled
Prune printers that are not automatically republished Disabled
Directory pruning interval Not configured
Directory pruning retry Not configured
Directory pruning priority Not configured
Check published state Not configured
Web-based printing Disabled
Custom support URL in the Printers folder's left pane Not configured
Computer location Not configured
Pre-populate printer search location text Not configured
User Configuration->
Folder Redirection
Desktop to \\Yjbweblive\RestrictedUsersProfile\Desktop
Start Menu to \\Yjbweblive\RestrictedUsersProfile\Start Menu
Administrative Templates
-> Desktop->Active Desktop:
Enable Active Desktop- disabled
Disable Active Desktop- enabled
Disable all Items- enabled
Prohibit changes- enabled
-> Desktop->Active Directory:
Maximum size of AD sarches: enabled: 0
Hide active Directory folder: enabled
->Control Panel:
Disable Control Panel- enabled
->Start Menu & Taskbar:
Remove user's folders from the Start Menu Enabled
Disable and remove links to Windows Update Enabled
Remove common program groups from Start Menu Enabled
Remove Documents menu from Start Menu Enabled
Disable programs on Settings menu Enabled
Remove Network & Dial-up Connections from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove Search menu from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Add Logoff to the Start Menu Enabled
Disable and remove the Shut Down command Enabled
Disable drag-and-drop context menus on the Start Menu Enabled
Disable changes to Taskbar and Start Menu Settings Enabled
Disable personalized menus Enabled
Disable user tracking Enabled
Do not keep history of recently opened documents Enabled
Gray unavailable Windows Installer programs Start Menu shortcuts
Enabled
->Desktop:
Hide all icons on Desktop Disabled
Remove My Documents icon from desktop Enabled
Remove My Documents icon from Start Menu Enabled
Remove Properties from the My Documents context menu Enabled
Remove Properties from the My Computer context menu Enabled
Hide My Network Places icon on desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Do not add shares of recently opened documents to My Network Places
Enabled
Prohibit user from changing My Documents path Enabled
Disable adding, dragging, dropping and closing the Taskbar's toolbars
Enabled
Disable adjusting desktop toolbars Enabled
Don't save settings at exit Enabled
->Windows Explorer:
Enable Classic Shell Enabled
Removes the Folder Options menu item from the Tools menu Enabled
Remove File menu from Windows Explorer Enabled
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove Search button from Windows Explorer Enabled
Disable Windows Explorer's default context menu Enabled
Hides the Manage item on the Windows Explorer context menu
Enabled
Only allow approved Shell extensions Enabled
Hide these specified drives in My Computer Enabled
Prevent access to drives from My Computer Enabled
Hide Hardware tab Enabled
Disable UI to change menu animation setting Enabled
Disable UI to change keyboard navigation indicator setting Enabled
Disable DFS tab Enabled
No "Computers Near Me" in My Network Places Enabled
No "Entire Network" in My Network Places Enabled
Maximum number of recent documents Enabled
->MMC
Restrict the user from entering author mode- enabled
->Windows update
Remove access to use all windows update features enabled
->Network->Network and Dial up networking
Prohibit deletion of RAS connections Enabled
Prohibit deletion of RAS connections available to all users Enabled
Prohibit connecting and disconnecting a RAS connection Enabled
Prohibit enabling/disabling a LAN connection Enabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to current user's RAS connection properties Enabled
Prohibit access to properties of RAS connections available to all users
Enabled
Prohibit renaming LAN connections or RAS connections available to all users
Enabled
Prohibit renaming of RAS connections belonging to the current user
Enabled
Prohibit adding and removing components for a LAN or RAS connection
Enabled
Prohibit enabling/disabling components of a LAN connection Enabled
Prohibit access to properties of components of a LAN connection
Enabled
Prohibit access to properties of components of a RAS connection
Enabled
Prohibit access to the Network Connection wizard Enabled
Prohibit viewing of status statistics for an active connection Enabled
Prohibit access to the Dial-up Preferences item on the Advanced menu
Enabled
Prohibit access to the Advanced Settings item on the Advanced menu Enabled
Prohibit configuration of connection sharing Enabled
Prohibit TCP/IP advanced configuration Enabled
->System
Code signing for device drivers Enabled
Custom user interface Not configured
Disable the command prompt Enabled
Disable registry editing tools Enabled
Run only allowed Windows applications Enabled nrclient.exe, notepad.exe
hh.exe
Disable Autoplay Enabled
Download missing COM components Disabled
->System->Logon/LogOff
Disable Task Manager Enabled
Limit profile size Enabled 1000K
->System->Group Policy
Group Policy refresh interval for users Enabled Every 1 day +random 30
minutes
