Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Locking down the desktop in windows 7

Answered Locking down the desktop in windows 7

  • Wednesday, May 02, 2012 11:19 PM
     
     
    Sign In to Vote
    0

    Okay! I am totaly frustrated and confused by this. I administer about 2000 public access computers at a large public library system. I use Group Policy 2008 to provide a custom user experience which, for the most part prevents our patrons from trashing our systems. Unfortunately there does not seem to be any way to lock the desktop so that users can't save to it or delete anything already there. For this reason we originaly configured a Mandatory Roaming Profile but the profiles took to long to load and patrons got very upset waiting on them. When we went to Wendows 7 I tried using a Domain Guest account. Unfortunately the accounts did not always get deleted when the users logged out and eventualy the system would fail to login. In order to apease a third party vender and solve the login issue we switched to using a Domain User account. I can use Group Policy to help direct users to save files in the Documents folder and I was able to create a script to clean it out when a new user logs in but the desktop is still vulnerable. Changing folder permissions for the Desktop on 2000 machines by hand is not something that my techs are going to want to do so I tried to find a way to automate the process. There is an option in Group Policy, Computer Configuration for this purpose but it didn't work so I have spent the last three days trying to write a script to do it. The closest I got was this;

    Dim WshShell
    set WshShell = WScript.CreateObject("WScript.Shell")

    WshShell.run "%comspec% /c runas /user:%computername%\xadministrator & icacls.exe c:\Test /grant:r exec:(rx) /t /c /q"
    WScript.Sleep 1000
    WshShell.SendKeys "password" 'send password  
    WshShell.SendKeys "{ENTER}"   
    WScript.Sleep 1000
     

    set wshshell = nothing

    I've tried some variations of this; Originaly I didn't have %comspec% in the .run line, it just started with runas. then I tried cmd instead of %comspec%. With the & before icacls.exe. If I was running the script localy when I was logged in as an administrator that worked. The problem is that runas requires quotation marks arround the executable string, "icacls.exe c:\Test /grant:r exec:(rx) /t /c /q" but that doesn't work within the script.  I get an "error: Expected end of statement" message right at the quote in front of icacls.exe. When I try to run the script from Group Policy, logged in to a Domain User account the script won't work and I am prety sure that it is because I need to use elevated privilages and runas is not working. I understand that Microsoft added UAC to improve security but now our systems are actualy less secure because I can't lock them down completely.

    If anyone knows how to make this script work or if there is a better way to lock down the desktop please let me know. Thanks!

    tweaton

     

All Replies

  • Wednesday, May 02, 2012 11:57 PM
     
     Proposed
    Sign In to Vote
    0

    What you can do is to use Desktop redirection. Then, you use information from here to change the user's rights on their desktop folder to read only. Job done, everyone is happy.

    " Never panic before reboot ! "

     
  • Friday, May 04, 2012 8:12 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    To redirect desktop, please refer to the below link:

    Folder Redirection Overview

    http://technet.microsoft.com/en-us/library/cc732275.aspx

    For scripting issue, please post thread in The Official Scripting Guys Forum:

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Best Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Yan Li

    TechNet Community Support


     
  • Friday, May 04, 2012 5:09 PM
     
     Answered
    Sign In to Vote
    0

    Thanks Yan,

    Your links helped. I had already considered using folder redirection and I think I actually tried it. For some reason, which I can't remember now, I thought it would not work.  Using User Configuration, Preferences I was able to create a folder, or actually Replace it, and then redirect the Desktop folder to the folder that I created. Using Replace I can completely delete and replace the folder each time the user logs in. Then I can add the Icons that I want on the Desktop the same way that I created the folder.

    Tom

    tweaton

    • Marked As Answer by Tweaton Friday, May 04, 2012 5:10 PM
    •