Wednesday, May 02, 2012 11:19 PM
Okay! I am totaly frustrated and confused by this. I administer about 2000 public access computers at a large public library system. I use Group Policy 2008 to provide a custom user experience which, for the most part prevents our patrons from trashing our systems. Unfortunately there does not seem to be any way to lock the desktop so that users can't save to it or delete anything already there. For this reason we originaly configured a Mandatory Roaming Profile but the profiles took to long to load and patrons got very upset waiting on them. When we went to Wendows 7 I tried using a Domain Guest account. Unfortunately the accounts did not always get deleted when the users logged out and eventualy the system would fail to login. In order to apease a third party vender and solve the login issue we switched to using a Domain User account. I can use Group Policy to help direct users to save files in the Documents folder and I was able to create a script to clean it out when a new user logs in but the desktop is still vulnerable. Changing folder permissions for the Desktop on 2000 machines by hand is not something that my techs are going to want to do so I tried to find a way to automate the process. There is an option in Group Policy, Computer Configuration for this purpose but it didn't work so I have spent the last three days trying to write a script to do it. The closest I got was this;
set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run "%comspec% /c runas /user:%computername%\xadministrator & icacls.exe c:\Test /grant:r exec:(rx) /t /c /q"
WshShell.SendKeys "password" 'send password
set wshshell = nothing
I've tried some variations of this; Originaly I didn't have %comspec% in the .run line, it just started with runas. then I tried cmd instead of %comspec%. With the & before icacls.exe. If I was running the script localy when I was logged in as an administrator that worked. The problem is that runas requires quotation marks arround the executable string, "icacls.exe c:\Test /grant:r exec:(rx) /t /c /q" but that doesn't work within the script. I get an "error: Expected end of statement" message right at the quote in front of icacls.exe. When I try to run the script from Group Policy, logged in to a Domain User account the script won't work and I am prety sure that it is because I need to use elevated privilages and runas is not working. I understand that Microsoft added UAC to improve security but now our systems are actualy less secure because I can't lock them down completely.
If anyone knows how to make this script work or if there is a better way to lock down the desktop please let me know. Thanks!
Wednesday, May 02, 2012 11:57 PM
What you can do is to use Desktop redirection. Then, you use information from here to change the user's rights on their desktop folder to read only. Job done, everyone is happy.
" Never panic before reboot ! "
Friday, May 04, 2012 8:12 AMModerator
To redirect desktop, please refer to the below link:
Folder Redirection Overview
For scripting issue, please post thread in The Official Scripting Guys Forum:
TechNet Community Support
Friday, May 04, 2012 5:09 PM
Your links helped. I had already considered using folder redirection and I think I actually tried it. For some reason, which I can't remember now, I thought it would not work. Using User Configuration, Preferences I was able to create a folder, or actually Replace it, and then redirect the Desktop folder to the folder that I created. Using Replace I can completely delete and replace the folder each time the user logs in. Then I can add the Icons that I want on the Desktop the same way that I created the folder.
- Marked As Answer by Tweaton Friday, May 04, 2012 5:10 PM