Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Remove write access to desktop and my docs
- Thread starter acl03
- Start date
TechyMcSe2k
Technical User
a registry hack/xcacls script through startup script that affects the default user profile, could possibly do it to change the permissions. If they already have a profile, then it would need to be an after the fact logon script to change permissions to those folders.
Strange request...but I am sure there may be other ways to do this. There always are.
Strange request...but I am sure there may be other ways to do this. There always are.
- Thread starter
- #3
Well the reason i ask is for a terminal server/citrix. We have a server desktop displayed for the user, but we only want the user to be able to run 3-4 apps from the desktop, not do anything else on the remote server.
________________________
Thanks,
Andrew
![[medal]](/data/assets/smilies/medal.gif "[medal] [medal]")
Hard work often pays off over time, but procrastination pays off right now!
________________________
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!Although I don't think there is a specific setting for this, you could probably achieve the same results using a combination of policies. You could use the Computer Configuration/Windows Settings/Security Settings/File System policy and specify permissions on those folders to RO although that may be difficult as I don't think you can really specify variables like %username% in the path names there since its a Computer policy. You'd almost need a known list of users that have already logged in so you can specify known paths to their My Documents/Desktop folder locations.
Or perhaps use the User Configuration/Windows Settings/Security Settings/Folder Redirection to redirect those folders to shared network locations that are RO.
And perhaps throw in User Configuration/Administrative Templates/Desktop "Don't save settings at exit" with either setting for good measure.
- Thread starter
- #5
acl03 (MIS)
26 Nov 08 11:27
Well the reason i ask is for a terminal server/citrix. We have a server desktop displayed for the user, but we only want the user to be able to run 3-4 apps from the desktop, not do anything else on the remote server.
If it's Citrix you could just publish the apps too. Or just apply multiple policies to restrict the hell out of the computer/user configurations. I use to configure convention kiosks in this manner so that users logging in could only run the apps that I dropped icons on the desktop for.
26 Nov 08 11:27
Well the reason i ask is for a terminal server/citrix. We have a server desktop displayed for the user, but we only want the user to be able to run 3-4 apps from the desktop, not do anything else on the remote server.
If it's Citrix you could just publish the apps too. Or just apply multiple policies to restrict the hell out of the computer/user configurations. I use to configure convention kiosks in this manner so that users logging in could only run the apps that I dropped icons on the desktop for.
acl03 (MIS)
26 Nov 08 11:38
Hmm, interesting ideas. What about just modifying the default profile's My Docs and Desktop as RO for non-admins?
A possibility although I'm not sure how the user's permissions are applied to the profile when the Default User profile is copied over. It may overwrite the permissions? Worth a try. Would effectively achieve the same results as the File System policy if the rights are maintained.
26 Nov 08 11:38
Hmm, interesting ideas. What about just modifying the default profile's My Docs and Desktop as RO for non-admins?
A possibility although I'm not sure how the user's permissions are applied to the profile when the Default User profile is copied over. It may overwrite the permissions? Worth a try. Would effectively achieve the same results as the File System policy if the rights are maintained.
- Thread starter
- #8
shinedog (MIS)
26 Nov 08 11:39
If it's Citrix you could just publish the apps too. Or just apply multiple policies to restrict the hell out of the computer/user configurations. I use to configure convention kiosks in this manner so that users logging in could only run the apps that I dropped icons on the desktop for.
What policies do you restrict to only allow access for the desktop icons you put out there?
One issue is that the users logging into this remote citrix server use the same account that they use to log in while at work (where we don't want the restrictions). I think that can be solved with a special GPO on the citrix server using Loopback processing mode, though.
________________________
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!
26 Nov 08 11:39
If it's Citrix you could just publish the apps too. Or just apply multiple policies to restrict the hell out of the computer/user configurations. I use to configure convention kiosks in this manner so that users logging in could only run the apps that I dropped icons on the desktop for.
What policies do you restrict to only allow access for the desktop icons you put out there?
One issue is that the users logging into this remote citrix server use the same account that they use to log in while at work (where we don't want the restrictions). I think that can be solved with a special GPO on the citrix server using Loopback processing mode, though.
________________________
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!I don't have a copy of the GPO I used but I pretty much enabled anything that would allow users to do anything I didn't want them to do. Printed out, the GPO contained like some 200+ settings that were enabled. You could always use the local policy through GPEDIT.MSC on the specific Citrix server to get around affecting users on their regular workstations.
- Status
Similar threads