NTFS Permissions to Preven Desktop Icon Removal

[Psibur]

Because of certain conditions, we have users that are required to be
in the Administrators group. The icons on the desktop are mandatory
and are not to be deleted. These PC's are not joined to a domain.
What I want to do is to "lock down" the icons so the users cannot
remove them. I have considered writing a script/batch file that
checks for the existence of those icons and copies them if they do not
exist but this is now not an option. Yes, I know it's odd, but I
don't make these rules.

I have tried a few options such as:
-- Remove all group permissions from the icons, removed inherited
permissions, and create user specific settings that Deny the Delete
permission to the local user account.
-- Created a group policy to Deny the Delete permission and put that
user in that group.

Neither of which work. I guess I have two questions on this one:

1. First and foremost, since the user accounts are required to be in
the Administrators group, does membership in that group 'trump' all
other settings, including Deny which I know is technically supposed to
take precedence?

2. If #1 does not matter, is there a combination of permissions that
is just not clicking with me?

 

[Pegasus [MVP]]

Because of certain conditions, we have users that are required to be
in the Administrators group. The icons on the desktop are mandatory
and are not to be deleted. These PC's are not joined to a domain.
What I want to do is to "lock down" the icons so the users cannot
remove them. I have considered writing a script/batch file that
checks for the existence of those icons and copies them if they do not
exist but this is now not an option. Yes, I know it's odd, but I
don't make these rules.

I have tried a few options such as:
-- Remove all group permissions from the icons, removed inherited
permissions, and create user specific settings that Deny the Delete
permission to the local user account.
-- Created a group policy to Deny the Delete permission and put that
user in that group.

Neither of which work. I guess I have two questions on this one:

1. First and foremost, since the user accounts are required to be in
the Administrators group, does membership in that group 'trump' all
other settings, including Deny which I know is technically supposed to
take precedence?

2. If #1 does not matter, is there a combination of permissions that
is just not clicking with me?

Set the desired permissions, then change ownership to the System account.
This will prevent everyone from deleting the shortcuts. However, those who
know how it's done can re-seize ownership. This is why it may not be a good
idea of making users members of the Administrators group.

 

[Psibur]

news:ec7052b2-9eea-47a1-9e92-885b82e54285@h21g2000yqa.googlegroups.com...

Set the desired permissions, then change ownership to the System account.
This will prevent everyone from deleting the shortcuts. However, those who
know how it's done can re-seize ownership. This is why it may not be a good
idea of making users members of the Administrators group.- Hide quoted text -

- Show quoted text -

Thanks, that seems to have done the trick. I agree with the Admin
group idea 100% but unfortunately I have no say in it.

Thanks again. :^)

 

[HeyBub]

Because of certain conditions, we have users that are required to be
in the Administrators group. The icons on the desktop are mandatory
and are not to be deleted. These PC's are not joined to a domain.
What I want to do is to "lock down" the icons so the users cannot
remove them. I have considered writing a script/batch file that
checks for the existence of those icons and copies them if they do not
exist but this is now not an option. Yes, I know it's odd, but I
don't make these rules.

I have tried a few options such as:
-- Remove all group permissions from the icons, removed inherited
permissions, and create user specific settings that Deny the Delete
permission to the local user account.
-- Created a group policy to Deny the Delete permission and put that
user in that group.

If you've got co-workers who delete desktop icons, you have a bigger problem
than them deleting desktop icons.