locked
Prevent Windows 7 users from saving files/folders to the root of their profile folder RRS feed

  • Question

  • We are in the process of setting up folder redirection for our users' My Documents, My Pictures, Favorites, Favorites, folders. Is there a way we can prevent them from saving files and folders on the root of their profile directory? So this way they can't saved a file like this: "C:\users\jdoe\Excel_spreadsheets\newsheet.xlsx" We want to force all the users to save their documents to only the standard folders (Documents, Downloads, Pictures, etc.). We're using Windows 7 and Server 2008.
    Thursday, July 7, 2011 8:13 PM

Answers

  • Hi

    Do achieve this you must:

    Remove the user jdoe write access to the C:\users\jdoe directory and leave with Read/Execute

    Ensure that the system account remains with Full Control or you will get loads of interesting errors :-)

    Allow full control on the directories C:\users\jdoe\MyPictures etc

    This should solve the issue

    Martin

     

     

    Saturday, July 9, 2011 2:36 PM
  • Hi,

     

    To achieve this goal, you need to modify the NTFS permission to give only Read permission for UserName folder and Full Control permission for the subfolders.

     

    You may write a script with Cacls commands and apply it to all the clients.

     

    For detils:

     

    Cacls

    http://technet.microsoft.com/en-us/library/bb490872.aspx

    Assign Computer Startup Scripts

    http://technet.microsoft.com/en-us/library/cc770556.aspx

     

    If you encounter any difficulties when customizing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    Hope this helps!

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 11, 2011 2:34 AM

All replies

  • Hi

    Do achieve this you must:

    Remove the user jdoe write access to the C:\users\jdoe directory and leave with Read/Execute

    Ensure that the system account remains with Full Control or you will get loads of interesting errors :-)

    Allow full control on the directories C:\users\jdoe\MyPictures etc

    This should solve the issue

    Martin

     

     

    Saturday, July 9, 2011 2:36 PM
  • Hi,

     

    To achieve this goal, you need to modify the NTFS permission to give only Read permission for UserName folder and Full Control permission for the subfolders.

     

    You may write a script with Cacls commands and apply it to all the clients.

     

    For detils:

     

    Cacls

    http://technet.microsoft.com/en-us/library/bb490872.aspx

    Assign Computer Startup Scripts

    http://technet.microsoft.com/en-us/library/cc770556.aspx

     

    If you encounter any difficulties when customizing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    Hope this helps!

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 11, 2011 2:34 AM
  • I'm probably a bit late here, but to help out future searchers who come across this page, there is a group policy setting to do exactly this, no need to mess round with messy scripts and non-inheriting permissions, etc. This policy setting is explicitly there to cope with the case where the user's My Docs folders are folder redirected, but they still end up saving files to their C:\Users\UserName folder.

    There's a group policy supported from Vista onwards called "Prevent users from adding files to the root of the Users folder". It's in User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer.

    The description on this policy is:

    This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in Windows Explorer.

    If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in Windows Explorer.

    If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in Windows Explorer.

    Note: Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.

    Wednesday, October 2, 2013 4:44 PM