none
Prevent user to save in desktop

    Question

  • Hi all,

    How can i restrict users to prevent saving/deleting in desktop with GPO? Is there a way in GPO for internet explorer to prevent download files or which option will prevent user downloading stuff from interernt but able to see pdf, word, ppt document inside internet explorer ?

    Thanks

    M
    Tuesday, January 13, 2009 4:43 PM

Answers

  • Hi,

     

    If you would like to restrict user from saving file on Desktop, you can remove Modify permission from their Desktop folder by Startup scripts. Group Policy cannot restrict add/remove item if they have modify permission.

     

    You can enable the following Policies to disable downloading.

     

    User Configuration->Administrative Templates->Windows Components->Internet Explorer->Internet Control Panel,-> Security Page

     

    You can enable "Allow file downloads" policy and select Disable in Internet Zone and Intranet Zone.

     

    Thanks.

    Thursday, January 15, 2009 7:40 AM
    Moderator
  • Well,

    Workaround this would be - set user for roaming profile and redirect the desktop folder in network share. Once you redirect desktop folder to network share this will create \\server\share\deskto\username and remove the right permission there. That will prevent user to save item in desktop.

    M
    Friday, January 16, 2009 9:54 PM

All replies

  • Hi,

     

    If you would like to restrict user from saving file on Desktop, you can remove Modify permission from their Desktop folder by Startup scripts. Group Policy cannot restrict add/remove item if they have modify permission.

     

    You can enable the following Policies to disable downloading.

     

    User Configuration->Administrative Templates->Windows Components->Internet Explorer->Internet Control Panel,-> Security Page

     

    You can enable "Allow file downloads" policy and select Disable in Internet Zone and Intranet Zone.

     

    Thanks.

    Thursday, January 15, 2009 7:40 AM
    Moderator
  • Well,

    Workaround this would be - set user for roaming profile and redirect the desktop folder in network share. Once you redirect desktop folder to network share this will create \\server\share\deskto\username and remove the right permission there. That will prevent user to save item in desktop.

    M
    Friday, January 16, 2009 9:54 PM
  • Hi,

    To prevent Desktop saving you can do 1 of 2 things.

    1> Enable Mandatory Profiles. This gives users access to save on the desktop for as long as they are logged in BUT when they logoff the entire profile is deleted including the desktop folder. 

    2> Enable Folder Redirection for the Desktop. This can be done with either Roaming Profiles or Local Profiles. If using Roaming Profiles redirect the users to their Profile Desktop location on the server. Eg. profiles are stored at \\server\profiles$\username  Redirect to \\server\profiles$\username\Desktop.  However, it would depend also if you are using mandatory profiles (where hundreds of users are using the same read-only profile) or just roaming profiles.

    If you are running Windows 2003 R2 or later you have the File Server Resource Manager as a part of the OS. Usually it is installed separately though. I have it installed on my file servers.
    http://technet.microsoft.com/en-us/library/cc754810.aspx

    What this does is give you the abililty to prevet ANY saving on the server of the file types that you don't want. It works wonderfully and I love it.

    Users can only save to their My Documents on my network. All other drives are Read-Only.

    Cheers,
    Lara
    lforbes
    • Proposed as answer by Rhodders Sunday, January 18, 2009 1:16 PM
    Friday, January 16, 2009 11:24 PM
  • If the user does not have write permission to the desktop foler, I doubt how the profile will be loaded and saved back? will this lead to a corrupted profile later? This is my doubt only. I just had it when I read this.

    Thanks

    • Proposed as answer by Koh Chee Wai Tuesday, June 12, 2012 7:51 AM
    Saturday, May 05, 2012 4:06 AM
  •  
    > If the user does not have write permission to the desktop foler, I
    > doubt how the profile will be loaded and saved back? will this lead to
    > a corrupted profile later? This is my doubt only. I just had it when I
    > read this.
    >
     No, it won't. Redirecting the desktop folder to a readonly share works
    perfectly and is the easiest solution to deny the user write access to
    his desktop.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, May 07, 2012 10:03 AM