Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
Trying to deny folder cration and hide all items on desktop

Answered Trying to deny folder cration and hide all items on desktop

  • Wednesday, October 24, 2012 9:49 PM
     
     
    Sign In to Vote
    0

    Hi all,

    we have an application that for some reason has to have access to desktop on termianl servers for it to work, so we can't deny access entirly, but we still need to prevent users from creating folders on the desktop.

    as of now we have a script that deletes all files that get createdo on the desktop after the user logs off, but it's not deleting folders, which still can be done with rmdir, but I am trying to prevent them from creating folders at all.

    so I wrote this batch file:

    attrib +H %UserProfile%\Desktop\*.*
    icacls "C:\Users\%UserProfile%\Desktop" /grant "%UserName%":(OI)(CI)(RX,D,WDAC,WO,WD,WEA,DC,WA /inheritance:r
    icacls "C:\Users\%UserProfile%\Desktop" /grant "NT AUTHORITY\SYSTEM":(OI)(CI)(F) /inheritance:r
    icacls "C:\Users\%UserProfile%\Desktop" /grant "BUILTIN\Administrators":(OI)(CI)(F) /inheritance:r

    there are 2 problems with this batch script:

    1. the users are still able to create folders.
    2. the attrib +H runs only on logon, so if users create files after that, they'll be able to see them.

    do any of you know a better way to do this where folder creation produces access denied message and cause any files that get created to be hidden immediately?

    Thanks in advance

    Mohsen Almassud

     

All Replies

  • Wednesday, October 24, 2012 11:15 PM
     
     Answered
    Sign In to Vote
    0

    Not a batch script but a request for assistance on how to manage security.

    I recommend posting this in the platfor forum for your OS.  Tere are many ways to mange the desktop and keep it pristeen.  None of these methods requires a scrip.  ERdirecting the desktop to a common group desktop via Group Ploicy is exactly what this is for.  The users can make any changes to the desktop but none will be saved to the redirectred common desktop. Old problem, old solution.

    Any proram that writes to teh desktop is suspicious as this is a NO-NO in Windows.  I suggest fixing the program first.

    There is a great chance that a registry value has just been set incorrectly to the desktop because so many untrained admins knew how to find the desktop. Fix this and your issue will likely go away and you will be a hero.

    IN my environemts teh desktop is shared and totally read-only.  We tell users how to use 'My Documents' to save things and all desktops have 'My Documetnz' as an icon.

    Learn Widows and you admin headaches will be reduced by one thousand percent or more.  Keep reinventing the wheel and your life will become ever more difficult.

    ¯\_(ツ)_/¯

    • Marked As Answer by Mohsen Almassud Thursday, October 25, 2012 1:11 PM
    •  
     
  • Thursday, October 25, 2012 1:12 PM
     
     
    Sign In to Vote
    0

    good enough for me.

    Thanks jvr.

    Mohsen Almassud

     
  • Friday, October 26, 2012 7:07 PM
     
     
    Sign In to Vote
    0

    jrv,

    so I eneded up redirecting the desktop to a netork share, which wored well, but I still need your help if you could.

    I am trying to figure out a way to monitor this network share and make sure it stays always empty without messing around with NTFS or share permissions. I am looking for some way to monitor this folder and as soon as a file is copied to it, DELETE it immediately.

    do you have any ideas as to how can this be done?

    Thanks

    Mohsen Almassud

     
  • Friday, October 26, 2012 7:09 PM
     
     
    Sign In to Vote
    0

    jrv,

    so I eneded up redirecting the desktop to a netork share, which wored well, but I still need your help if you could.

    I am trying to figure out a way to monitor this network share and make sure it stays always empty without messing around with NTFS or share permissions. I am looking for some way to monitor this folder and as soon as a file is copied to it, DELETE it immediately.

    do you have any ideas as to how can this be done?

    Thanks

    Mohsen Almassud

    Set the permission to read only.

    ¯\_(ツ)_/¯

     
  • Saturday, October 27, 2012 1:45 AM
     
     
    Sign In to Vote
    0

    that won't work, because as I mentioned the application that we support needs to have R/W access to the desktop otherwise it will crash. I am working with one of the developers here to have him create a service that deletes any files that make it to this folder as soon as they arrive.

    Thanks for your help.

    Mohsen Almassud

     
  • Saturday, October 27, 2012 2:34 AM
     
     
    Sign In to Vote
    0

    that won't work, because as I mentioned the application that we support needs to have R/W access to the desktop otherwise it will crash. I am working with one of the developers here to have him create a service that deletes any files that make it to this folder as soon as they arrive.

    Thanks for your help.

    Mohsen Almassud

    It sounds like you have an ad-hoc circumstance caused by a very badly designed application.

    There is no automatic way to do what you are asking.  Prehaps you need a new app vendor.

    ¯\_(ツ)_/¯