Restrict user from saving on their Desktop, My Documents, My Music, My Videos, My Pictures etc. via GPO

Solution 1:

It's very easy if you are using Windows Server 2008.

  1. Create a Group Policy Object, go to Computer Configuration > Policy > Windows Settings > Security Settings > File System
  2. Right click and add %userprofile%\Desktop ....etc for the different folders that you want to restrict access to.
  3. Specify the rights for the specified folder(s) for users or user groups.

Solution 2:

This is possible with a logon script, but it's a bit tricky, and would require testing to ensure that it works correctly for the target environment. It makes assumptions about the ACE entries in the ACL (system, Administrators, and the user), and that the user is the owner (they typically are). It isn't bullet-proof security, but it can help minimize the casual "save a 2 GB iso file to the roaming profile desktop folder" scenario.

In broad strokes, when a user logs on, at the end of the last logon script, ACL their Desktop and other locations so that they have Read and Execute permission.

In the logOFF script, revert the permissions back to normal.

At the start of the logON script, there should also be a check to reset the permissions to normal in the event that the logoff script failed.

There are a variety of ACL tools to use: icacls, fileacl, setacl.

Determining the correct path can be performed using the following PowerShell syntax: 

[Environment]::GetFolderPath("DesktopDirectory")

That should be used to ensure that the operation is performed on the redirected location, and not the local location.

To obtain a list of all the Environment Special Folder locations: 

[Environment+SpecialFolder]::GetNames([Environment+SpecialFolder])

That typically returns:

Desktop
Programs
Personal
MyDocuments
Favorites
Startup
Recent
SendTo
StartMenu
MyMusic
DesktopDirectory
MyComputer
Templates
ApplicationData
LocalApplicationData
InternetCache
Cookies
History
CommonApplicationData
System
ProgramFiles
MyPictures
CommonProgramFiles

Note that there are both Desktop and DesktopDirectory special folders.

Here is a sample PowerShell command to use FileAcl set the Desktop folder to Read and Execute for a user: 

$user = [System.Environment]::ExpandEnvironmentVariables("%USERDOMAIN%\%USERNAME%")
$exe = "C:\util\FileAcl\FileAcl.exe "
$arg1 = [System.Environment]::GetFolderPath("DesktopDirectory")
$arg2 = "/S"
$arg3 = "`"NT AUTHORITY\SYSTEM`":F"
$arg4 = "/S"
$arg5 = "`"" + $user + "`"" + ":RX"
$arg6 = "/S"
$arg7 = "`"BUILTIN\Administrators`":F"
$arg8 = "/REPLACE"
$arg9 = "/PROTECT"
$allArgs = @($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9)


&$exe $allArgs

To set the folder to Modify permission for the user, arg5 would be:

$arg5 = """ + $user + """ + ":RWXD"

Tags:

Windows Vista

Windows Xp

Windows 7

Windows Server 2008 R2

Group Policy

Related

Configure DNS server to return same IP for all domains Your system administrator does not allow the use of saved credentials to log on to the remote computer How to restrict mailman list subscriptions to certain domains? Nginx proxy domain to another domain with no change URL How to forward specific log file outside of /var/log with rsyslog to remote server? Is there a way to determine which virtual interface belongs to a virtual machine in a kvm host? S3fs performance improvements or alternative? IIS gives wrong certificate for an HTTPS request How can the little guys effectively learn and use Puppet? Microsoft Windows - Install Updates And Restart (instead of Install and Shutdown) How to update cURL CA bundle on RedHat? What should the order of DNS servers be for an AD Domain Controller and Why?

Recent Posts