2009년 1월 13일 화요일 오후 4:43Hi all,
How can i restrict users to prevent saving/deleting in desktop with GPO? Is there a way in GPO for internet explorer to prevent download files or which option will prevent user downloading stuff from interernt but able to see pdf, word, ppt document inside internet explorer ?
2009년 1월 15일 목요일 오전 7:40중재자
If you would like to restrict user from saving file on Desktop, you can remove Modify permission from their Desktop folder by Startup scripts. Group Policy cannot restrict add/remove item if they have modify permission.
You can enable the following Policies to disable downloading.
User Configuration->Administrative Templates->Windows Components->Internet Explorer->Internet Control Panel,-> Security Page
You can enable "Allow file downloads" policy and select Disable in Internet Zone and Intranet Zone.
2009년 1월 16일 금요일 오후 9:54Well,
Workaround this would be - set user for roaming profile and redirect the desktop folder in network share. Once you redirect desktop folder to network share this will create \\server\share\deskto\username and remove the right permission there. That will prevent user to save item in desktop.
- 답변으로 표시됨 Mervyn ZhangModerator 2009년 1월 19일 월요일 오전 12:59
2009년 1월 16일 금요일 오후 11:24Hi,
To prevent Desktop saving you can do 1 of 2 things.
1> Enable Mandatory Profiles. This gives users access to save on the desktop for as long as they are logged in BUT when they logoff the entire profile is deleted including the desktop folder.
2> Enable Folder Redirection for the Desktop. This can be done with either Roaming Profiles or Local Profiles. If using Roaming Profiles redirect the users to their Profile Desktop location on the server. Eg. profiles are stored at \\server\profiles$\username Redirect to \\server\profiles$\username\Desktop. However, it would depend also if you are using mandatory profiles (where hundreds of users are using the same read-only profile) or just roaming profiles.
If you are running Windows 2003 R2 or later you have the File Server Resource Manager as a part of the OS. Usually it is installed separately though. I have it installed on my file servers.
What this does is give you the abililty to prevet ANY saving on the server of the file types that you don't want. It works wonderfully and I love it.
Users can only save to their My Documents on my network. All other drives are Read-Only.
- 답변으로 제안됨 Rhodders 2009년 1월 18일 일요일 오후 1:16
2012년 5월 5일 토요일 오전 4:06
If the user does not have write permission to the desktop foler, I doubt how the profile will be loaded and saved back? will this lead to a corrupted profile later? This is my doubt only. I just had it when I read this.
- 답변으로 제안됨 Koh Chee Wai 2012년 6월 12일 화요일 오전 7:51
2012년 5월 7일 월요일 오전 10:03> If the user does not have write permission to the desktop foler, I> doubt how the profile will be loaded and saved back? will this lead to> a corrupted profile later? This is my doubt only. I just had it when I> read this.>No, it won't. Redirecting the desktop folder to a readonly share worksperfectly and is the easiest solution to deny the user write access tohis desktop.
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!