Restrict users to save on desktop using Group policy

Capri · External Since: Apr 30, 2007 Posts: 4

Hello everyone,

I have setup a group policy on OU and have restricted users to use only one
application which is hosted on the server. Redirection of application is also
done on the group policy. These users were not able to save/view any files
and also I have restricted any changes/settings.

Recently I have given them access to Notepad now I see they are able to save
TXT files on their desktops. How can I restrict those saving files?

I have already enabled hide/write all hard disks but I know by default users
will have full access on their desktops that is the reason they are able to
write on to their desktops. I am sure there should be some solution to this
within this group.

Thanks

Paul Bergson [MVP-DS] · External Since: Oct 09, 2006 Posts: 187

You can try the don't save settings on exit to see if that works (this with
in group policy), I know something such as added shortcuts will stay.

There is a way that will work, modify the users profile to be a Mandatory
profile. Once a profile of a user is created change the ntuser.dat to
ntuser.man. Any time a user makes mods to the profile they will be dropped
once the user logs off and logs back on.

I once used mandatory roaming profile in an aircraft hangar, all kiosks had
the exact same look and feel. It worked really well.

http://technet2.microsoft.com/windowsserver/en/library/23ee2a30-5883-4...-b4cf-4

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Capri" <Capri DeleteThis @discussions.microsoft.com> wrote in message
news:04F675E8-C272-4DBC-8995-6700A230282C@microsoft.com...
> Hello everyone,
>
> I have setup a group policy on OU and have restricted users to use only
> one
> application which is hosted on the server. Redirection of application is
> also
> done on the group policy. These users were not able to save/view any files
> and also I have restricted any changes/settings.
>
> Recently I have given them access to Notepad now I see they are able to
> save
> TXT files on their desktops. How can I restrict those saving files?
>
> I have already enabled hide/write all hard disks but I know by default
> users
> will have full access on their desktops that is the reason they are able
> to
> write on to their desktops. I am sure there should be some solution to
> this
> within this group.
>
> Thanks
>

Myweb · External Since: Feb 15, 2007 Posts: 176

Hello Capri,

Did you use roaming profiles, then you can set a policy under User configuration>Administrative
templates>System>Logon/Logoff, theire you have "Limit profile Size". Enable
it and set the size you like.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hello everyone,
>
> I have setup a group policy on OU and have restricted users to use
> only one application which is hosted on the server. Redirection of
> application is also done on the group policy. These users were not
> able to save/view any files and also I have restricted any
> changes/settings.
>
> Recently I have given them access to Notepad now I see they are able
> to save TXT files on their desktops. How can I restrict those saving
> files?
>
> I have already enabled hide/write all hard disks but I know by default
> users will have full access on their desktops that is the reason they
> are able to write on to their desktops. I am sure there should be some
> solution to this within this group.
>
> Thanks
>

Capri · External Since: Apr 30, 2007 Posts: 4

Thanks for a response I am not using roaming profile, but this was a good
info for me.

"Myweb" wrote:

> Hello Capri,
>
> Did you use roaming profiles, then you can set a policy under User configuration>Administrative
> templates>System>Logon/Logoff, theire you have "Limit profile Size". Enable
> it and set the size you like.
>
> Best regards
>
> Myweb
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> > Hello everyone,
> >
> > I have setup a group policy on OU and have restricted users to use
> > only one application which is hosted on the server. Redirection of
> > application is also done on the group policy. These users were not
> > able to save/view any files and also I have restricted any
> > changes/settings.
> >
> > Recently I have given them access to Notepad now I see they are able
> > to save TXT files on their desktops. How can I restrict those saving
> > files?
> >
> > I have already enabled hide/write all hard disks but I know by default
> > users will have full access on their desktops that is the reason they
> > are able to write on to their desktops. I am sure there should be some
> > solution to this within this group.
> >
> > Thanks
> >
>
>
>

Geoff Taylor · External Since: Jul 19, 2007 Posts: 2

Why not set a simple logon (or logoff) script via a group policy?

del "%USERPROFILE%\desktop\*"

This should clear the user's desktop every time they log in.

"Capri" <Capri RemoveThis @discussions.microsoft.com> wrote in message
news:04F675E8-C272-4DBC-8995-6700A230282C@microsoft.com...
> Hello everyone,
>
> I have setup a group policy on OU and have restricted users to use only
> one
> application which is hosted on the server. Redirection of application is
> also
> done on the group policy. These users were not able to save/view any files
> and also I have restricted any changes/settings.
>
> Recently I have given them access to Notepad now I see they are able to
> save
> TXT files on their desktops. How can I restrict those saving files?
>
> I have already enabled hide/write all hard disks but I know by default
> users
> will have full access on their desktops that is the reason they are able
> to
> write on to their desktops. I am sure there should be some solution to
> this
> within this group.
>
> Thanks
>