Stop users from deleting Icons 2

[glamprecht1]

Although that may sound simple please hear me out...

Our users in this group need to use terminal services to connect to our terminal server. They need to run an application from the terminal server. That application mandates that they must be an admin of that machine (ouch!!)
All users need use the same shared login.
I have a GPO set up that strips off all icons from the desktop of the terminal services session. Actually it is locked down pretty severely and for the most part stops them from doing anything but double clicking on the two icons that are showing on the desktop.
But, although they cannot right click, they can single click and then hit the delete key therefore effectively screwing up the user experience for all users. (Everyone loggs into the same local profile on the TS.
Is there a setting in Group Policy that will deny the user the ability to delete the shortcuts short of using a mandatory profile?


Thanks

 

[nsantin]

try write protecting, or better yet deny delete rights for the user, on the shortcut file. (i.e. \Docs+settings\all users\desktop\...)

 

[kmcferrin]

It doesn't matter what restrictions you put on them, if they have admin rights on the box then they'll be able to delete the icons (and I'm pretty sure that there isn't a setting to prevent you from deleting icons).

You could try putting in a logon script that checks to see if the icon is there, and then copies it to their desktop if it isn't.

Or you could set up TS so that when they connect the app is automatically launched, and when they close the app they are logged off.

 

[glamprecht1]

Thanks nsantin

I put in an explicit "Deny" to several attributes on the Desktop folder of that profile. It lets the user keep their admin rights but they can no longer jack with the shortcuts in that folder (The desktop).
So simple, why did i not think of that.

Thanks again.

 

[itsp1965]

What if you create mandatory profiles for them (rename their profile with a .man extension). Any mods they make to their profile should not take effect.

 

[markdmac]

Why are you allowing them to the desktop at all? Publich the application via Terminal Services. Give them a local icon that points to that published application. When they close the applicaiton they get disconnected from the terminal server.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Dublin73]

You could apply a GPO to the terminal servers and redirect everyone to the same desktop folder. In Windows 2003...

User Configuration> Folder Redirection> Desktop

Then permission your icons so that "Authenticated Users" have "Read & Execute" and "Read" access ONLY.

good luck with it

 

[nsantin]

To kmcferrin's point, the deny is not a perfect solution, since they are admins they can take ownership and change the settings, but that would take someone who is 1. purposely trying to be malicious and 2. knows what they are doing.

 

[monsterjta]

glamprecht1,

A logon script would help much in this situation. Each time a user logs in, use "special folders" in your VBScript, and create the required icons for each new session.

As well, you could enumerate through application groups and create just the icons they need. This could also apply to NTFS security on that box.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[glamprecht1]

Wow!!

I am just overwhelmed with all of the responses here.
Lots of good input from many angles.

My final solution was to use NTFS security to accomplish the lockdown on the icons. It’s not perfect but it is pretty good. After all we are just talking about some icons (shortcuts).
I had several people attempt to cause any destruction that they could and all of the policys held up.

After talking to my boss it appears that we will be purchasing a Citrix server very soon and will migrate all of our TS wacko stuff to Citrix. Hopefully, Citrix is more robust than Microsoft Terminal services.

Thanks again for all of the postings

 

[markdmac]

Personally I think you are going to waste good IT Bidget by going to Citrix.

Citrix used to be leaps and bounds over TS before 2003, but there is little more that it has to offer these days.

Did you conisder my suggestion to publish your application via Terminal Services? As there was no reply it seems to have been an overlooked solution. All of what you have done to lock down icons (though good for security) would not have been needed since the users would ONLY get that one application when connecting to the Terminal Server. There would be no desktop for them to delete icons from. There would be no access to the Start Menu etc. So despite having Admin Rights, they would have no other access to the system.

I suspect also that your users do not truly need to have admin rights. They probably just need full control of the program directory and write rights to any registry keys for the program.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[glamprecht1]

Markdmac:...

The application in question is actually a suite. There are 9 different applications that are included and we generally allow access to only the applications that the user needs. One user may need access to all nine and another user may only need access to two.
I have met a huge amount of resistance when I attempt to "change" the environment to a more secure one. The biggest complaint is people are used to seeing those stinking shortcuts on the desktop and management insists on them being there.
So to in the name of being a team player without losing sight over my long term goals I am forced to merge in the look that the users insist on seeing along with the security and manageability that we need.
So with those criteria in mind maybe my situation makes more sense???
On publishing the application through TS....
I will test this (I have never done this) but I suspect that while it may be a superior method, the look and feel will be too much for the users and all H*&l will break loose. It also sounds like only one app at time will be accessible?? Remember I am forced to show all icons that a user may need on the desktop. (This is companywide on all machines!!!!!)
Regarding the admin rights....
You are probably right. But I am very new here and until I get a firm footing with my users and this network I really need to be very selective on which battles that I choose to fight or solutions that I need to solve.
Right now I am looking for a quick fix that will implement relatively unnoticed. Looks and feels like what they have always used but is far more secure.
Right now they log into the TS server with six different accounts, with full admin rights to the TS server and have absolutely full control over that server. If anyone thought to try they could have lots of fun. They way it was when I got here, it was just a local profile for each of these logins with full admin rights to the server. Anyone can shut it down or do whatever they want.
I really do appreciate your posts and I will research the TS angle. Its very possible that a better understanding of TS could save us a bunch of money.
Thanks for all of your help

 

[markdmac]

OK, so knowing that you have multiple applications to me just makes my solution make more sense.

You could programatically push down icons to the users local desktop for those applications that they need to have.

from the user perspective the applications will be local allthough in reality they will be executing from the Terminal Server.

Here is how I would proceed before you make any changes to the live users. Create a test user. Make that user a member of a new group for the application suite. In NTFS on the Terminal Server, assign Modify Rights to the program folder for the application. Use Regedt32 to assign Full control to the registry keys for the application. You MAY find you need to assign rights to the HKEY_CLASSES_ROOT depending on the application. Try without first.

Test that the test user can access the application when logging into the terminal server just like the other users can. If this works you have already resolved your biggest security problem and could move all other users to that group, remove their admin rights and they will never know anything changed.

To further enhance your users experience, publish each of the applicaitons and make icons for them. Use vbscript (I can help with that too) to push those icons out to the local desktops. Your users would then start the applicaitons locally instead of going to the Terminal Server (from their perspective, the apps will be running on the TS box but in a single application window).


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[glamprecht1]

Markdmac:

I am very interested in looking deeper into your solution.
Do you have a basic script that i can modify to push out the icons????

Thanks!!!

 

[markdmac]

Sure, you would want to create the shortcuts first and put them on a network share that the users will all have read access to.

Then it is just a simple file copy.

   Dim oFSO, WSHShell
   Set oFSO = CreateObject("Scripting.FileSystemObject")
   Set WSHShell = CreateObject("Wscript.Shell")
   UserDesktop = WshShell.SpecialFolders("Desktop")
   If Not oFSO.FileExists UserDesktop & "\Shortcut.lnk" Then
       oFSO.CopyFile "\\SourceServer\Share\Shortcut.lnk", UserDesktop
   End If

Add this as a login script. It will only copy the files if they don't exists. So if a user were to delete the icon they will get it back on next login. If the icons are not deleted, then no action is taken at next login.

You could determine which icons to push down by making the users members of a Global Group used for access identification. Based on the group you could decide which icons to push out. Take a look at my VBScript Login Script FAQ for an example of checking group memberships. Instead of mapping a drive you would insert the file copy code instead. faq329-5798

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[glamprecht1]

Thanks MarkDmac

I will play around with this.

Thanks agian.

 

[monsterjta]

Seems to me, someone had already mentioned using a logon script to search for group membership and special folders for icon creation...

I would create the shortcuts within the script, rather than copying these objects from a network share as markdmac had suggested.

Something like this:

Dim strLink, strTarget, strWorkingDir

If objGroup.CN = <group>" Then
	strLink = "\<appName>.lnk"
	strtarget = "<pathTo>.exe"
	strWorkingDir = "<workingDirectory>"
	Call CreateShortcut (strLink, strTarget, strWorkingDir)
End If
Function CreateShortcut (strLink, strTarget, strWorkingDir)

Dim WSHShell
Dim DTPath
Dim DTShortcut
Set WSHShell = WScript.CreateObject("WScript.Shell")
DTPath = WSHShell.SpecialFolders("Desktop")

Set DTShortcut = WSHShell.CreateShortcut(DTPath & strLink)
DTShortcut.TargetPath = WSHShell.ExpandEnvironmentStrings(strTarget)
DTShortcut.WorkingDirectory = WSHShell.ExpandEnvironmentStrings(strWorkingDir)
DTShortcut.Save

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[markdmac]

Jonathan,

The reason I did not suggest shortcut creation via script is that the shortcuts need to be saved RDP connections and you need to specify the applications to launch.

The VBScript shortcut creation does not support those properties.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[monsterjta]

Mark,

The solution I posted will save the shortcuts to the users' desktops. It will also specify the application to launch for each shortcut. Am i missing something here, or is it not clear as to what my script does?

Regardless, either way will work. It's partly a matter of how many moving parts you want involved in this process.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[markdmac]

Yes, you are missing something.

These are not normal shortcuts we are talking about. They don't point to an application. They are RDP shortcuts.

To see what I am talking about:

Click Start, Programs, Accessories, Communications, Remote Desktop.

Enter server details to connect to. Click the Programs tab. Specify the program to connect to. Save the connection info as a shortcut.

These are a special kind of shortcut that will actually have an RDP extension. THere may be a specialzed programming interface for them but I am unaware of them.

The example that you provide is well known to me and generally I would prefer to dynamically create the icons as you have suggested, though I would use code to first check to see if they exist before trying to make them. I provide such examples in my login script FAQ faq329-5798.

Hopefully this clears up the issue. The needed icons are not standard shortcuts.

It might be possible to create LNK files that point to the special icons, I have not attempted that but think it would be wasteful since you would be calling a shortcut that will then call another to connect to the server.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript