P
Psibur
Because of certain conditions, we have users that are required to be
in the Administrators group. The icons on the desktop are mandatory
and are not to be deleted. These PC's are not joined to a domain.
What I want to do is to "lock down" the icons so the users cannot
remove them. I have considered writing a script/batch file that
checks for the existence of those icons and copies them if they do not
exist but this is now not an option. Yes, I know it's odd, but I
don't make these rules.
I have tried a few options such as:
-- Remove all group permissions from the icons, removed inherited
permissions, and create user specific settings that Deny the Delete
permission to the local user account.
-- Created a group policy to Deny the Delete permission and put that
user in that group.
Neither of which work. I guess I have two questions on this one:
1. First and foremost, since the user accounts are required to be in
the Administrators group, does membership in that group 'trump' all
other settings, including Deny which I know is technically supposed to
take precedence?
2. If #1 does not matter, is there a combination of permissions that
is just not clicking with me?
in the Administrators group. The icons on the desktop are mandatory
and are not to be deleted. These PC's are not joined to a domain.
What I want to do is to "lock down" the icons so the users cannot
remove them. I have considered writing a script/batch file that
checks for the existence of those icons and copies them if they do not
exist but this is now not an option. Yes, I know it's odd, but I
don't make these rules.
I have tried a few options such as:
-- Remove all group permissions from the icons, removed inherited
permissions, and create user specific settings that Deny the Delete
permission to the local user account.
-- Created a group policy to Deny the Delete permission and put that
user in that group.
Neither of which work. I guess I have two questions on this one:
1. First and foremost, since the user accounts are required to be in
the Administrators group, does membership in that group 'trump' all
other settings, including Deny which I know is technically supposed to
take precedence?
2. If #1 does not matter, is there a combination of permissions that
is just not clicking with me?