Restrict user from saving on their Desktop, My Documents, My Music, My Videos, My Pictures etc. via GPO

Solution 1:

It's very easy if you are using Windows Server 2008.

  1. Create a Group Policy Object, go to Computer Configuration > Policy > Windows Settings > Security Settings > File System
  2. Right click and add %userprofile%\Desktop ....etc for the different folders that you want to restrict access to.
  3. Specify the rights for the specified folder(s) for users or user groups.

Solution 2:

This is possible with a logon script, but it's a bit tricky, and would require testing to ensure that it works correctly for the target environment. It makes assumptions about the ACE entries in the ACL (system, Administrators, and the user), and that the user is the owner (they typically are). It isn't bullet-proof security, but it can help minimize the casual "save a 2 GB iso file to the roaming profile desktop folder" scenario.

In broad strokes, when a user logs on, at the end of the last logon script, ACL their Desktop and other locations so that they have Read and Execute permission.

In the logOFF script, revert the permissions back to normal.

At the start of the logON script, there should also be a check to reset the permissions to normal in the event that the logoff script failed.

There are a variety of ACL tools to use: icacls, fileacl, setacl.

Determining the correct path can be performed using the following PowerShell syntax:

[Environment]::GetFolderPath("DesktopDirectory")  

That should be used to ensure that the operation is performed on the redirected location, and not the local location.

To obtain a list of all the Environment Special Folder locations:

[Environment+SpecialFolder]::GetNames([Environment+SpecialFolder])  

That typically returns:

Desktop
Programs
Personal
MyDocuments
Favorites
Startup
Recent
SendTo
StartMenu
MyMusic
DesktopDirectory
MyComputer
Templates
ApplicationData
LocalApplicationData
InternetCache
Cookies
History
CommonApplicationData
System
ProgramFiles
MyPictures
CommonProgramFiles

Note that there are both Desktop and DesktopDirectory special folders.

Here is a sample PowerShell command to use FileAcl set the Desktop folder to Read and Execute for a user:

$user = [System.Environment]::ExpandEnvironmentVariables("%USERDOMAIN%\%USERNAME%")
$exe = "C:\util\FileAcl\FileAcl.exe "
$arg1 = [System.Environment]::GetFolderPath("DesktopDirectory")
$arg2 = "/S"
$arg3 = "`"NT AUTHORITY\SYSTEM`":F"
$arg4 = "/S"
$arg5 = "`"" + $user + "`"" + ":RX"
$arg6 = "/S"
$arg7 = "`"BUILTIN\Administrators`":F"
$arg8 = "/REPLACE"
$arg9 = "/PROTECT"
$allArgs = @($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9)


&$exe $allArgs  

To set the folder to Modify permission for the user, arg5 would be:

$arg5 = """ + $user + """ + ":RWXD"