none
Preventing users from creating shortcut files

    Question

  • Hi all

    I am wondering if it is possible to prevent users from creating shortcuts. We have users locked down were they cannot get to the local C: Drive to prevent the machine from getting messed up. But they are creating shortcuts that allow them to browse Active Directory. "C:\Windows\System32\rundll32.exe dsquery.dll,OpenQueryWindow" And while I cannot prevent them from reading AD, I want to prevent them from getting to the rundll32.exe file. At this point, they are creating shortcuts to get there. These users cannot change anything in AD, I am just trying to prevent them from browsing it.

    I would block the rundll32.exe file from being executed but with all the software we have, I am not sure what all it would break. Is it possible to prevent running specific rundll32 dll files?

    Any advice in this matter would be great.

    Charles

    Thursday, March 3, 2016 2:03 PM

Answers

  • I was wanting to prevent users from searching AD. That is why I was trying to prevent the creation of shortcuts. But I found another path.

    So, I have adapted my GPO. I have learned that this is the key I need to change "Maximum size of Active Directory searches". And I have adjusted the amount to 0. 

    https://msdn.microsoft.com/en-us/library/ms813302.aspx

    Thanks


    Friday, March 4, 2016 4:03 AM

All replies

  • However good your intentions are, my experience in this matter of "preventing" is that people will always find a way around it.

    My method is Education!

    Explain to all users the reason you want your system to be in it's current state and why personal "fixes" will destroy the Company effort of ... (whatever)


    Best regards George

    Thursday, March 3, 2016 2:47 PM
  • Not really what I wanted to hear but I was afraid this was the kind of answer I was going to get. I will continue looking for right now. But thank you anyway.
    Thursday, March 3, 2016 2:50 PM
  • With all respect Charles, but you are trying to run a North Korea! Everything locked down. The rest of our world has already understood that it's not possible without extreme measures. We don't want those!


    Best regards George

    Thursday, March 3, 2016 2:55 PM
  • Everything is locked down because we don't like chasing viruses that students and teachers get on the computer. 

    Thank you

    Thursday, March 3, 2016 3:06 PM
  • I can understand that! I've worked with journalists for 14 years and they click on Everything! Your solution is to Adapt, Learn and Adjust!

    Best regards George

    Thursday, March 3, 2016 3:14 PM
  • Hi CharlesWhite,

    "I am wondering if it is possible to prevent users from creating shortcuts."
    Try to delete this registry key:
    HKEY_CLASSES_ROOT\.lnk\ShellNew

    Please backup the registry keys before we made any modifications to them. This is more likely a hack method. It is not recommended to do this.
    I agree with George.B.Summers. The best solution is to Adapt, Learn and Adjust.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 4, 2016 2:40 AM
    Moderator
  • I was wanting to prevent users from searching AD. That is why I was trying to prevent the creation of shortcuts. But I found another path.

    So, I have adapted my GPO. I have learned that this is the key I need to change "Maximum size of Active Directory searches". And I have adjusted the amount to 0. 

    https://msdn.microsoft.com/en-us/library/ms813302.aspx

    Thanks


    Friday, March 4, 2016 4:03 AM