Home / server / Questions / 397181
Accepted
Param
Asked: 2012-06-10 05:20:12 +0800 CST

Restrict user from saving on their Desktop, My Documents, My Music, My Videos, My Pictures etc. via GPO

  • 772

I want to accomplish the following task: A user must not have rights to save on their Desktop, My Documents, My Music, My Videos, My Pictures, etc.

I have already prevented and hidden all drives via GPO. However, user are still able to store files in the locations listed above.

Server OS: Windows Server 2008 R2

Client OS: Windows XP, Windows Vista and Windows 7

group-policy windows-vista windows-xp windows-7 windows-server-2008-r2

3 Answers

  1. Best Answer

    It's very easy if you are using Windows Server 2008.

    1. Create a Group Policy Object, go to Computer Configuration > Policy > Windows Settings > Security Settings > File System
    2. Right click and add %userprofile%\Desktop ....etc for the different folders that you want to restrict access to.
    3. Specify the rights for the specified folder(s) for users or user groups.
    • 5

  2. This is possible with a logon script, but it's a bit tricky, and would require testing to ensure that it works correctly for the target environment. It makes assumptions about the ACE entries in the ACL (system, Administrators, and the user), and that the user is the owner (they typically are). It isn't bullet-proof security, but it can help minimize the casual "save a 2 GB iso file to the roaming profile desktop folder" scenario.

    In broad strokes, when a user logs on, at the end of the last logon script, ACL their Desktop and other locations so that they have Read and Execute permission.

    In the logOFF script, revert the permissions back to normal.

    At the start of the logON script, there should also be a check to reset the permissions to normal in the event that the logoff script failed.

    There are a variety of ACL tools to use: icacls, fileacl, setacl.

    Determining the correct path can be performed using the following PowerShell syntax: 

    [Environment]::GetFolderPath("DesktopDirectory")

    That should be used to ensure that the operation is performed on the redirected location, and not the local location.

    To obtain a list of all the Environment Special Folder locations: 

    [Environment+SpecialFolder]::GetNames([Environment+SpecialFolder])

    That typically returns:

    Desktop
    Programs
    Personal
    MyDocuments
    Favorites
    Startup
    Recent
    SendTo
    StartMenu
    MyMusic
    DesktopDirectory
    MyComputer
    Templates
    ApplicationData
    LocalApplicationData
    InternetCache
    Cookies
    History
    CommonApplicationData
    System
    ProgramFiles
    MyPictures
    CommonProgramFiles

    Note that there are both Desktop and DesktopDirectory special folders.

    Here is a sample PowerShell command to use FileAcl set the Desktop folder to Read and Execute for a user: 

    $user = [System.Environment]::ExpandEnvironmentVariables("%USERDOMAIN%\%USERNAME%")
$exe = "C:\util\FileAcl\FileAcl.exe "
$arg1 = [System.Environment]::GetFolderPath("DesktopDirectory")
$arg2 = "/S"
$arg3 = "`"NT AUTHORITY\SYSTEM`":F"
$arg4 = "/S"
$arg5 = "`"" + $user + "`"" + ":RX"
$arg6 = "/S"
$arg7 = "`"BUILTIN\Administrators`":F"
$arg8 = "/REPLACE"
$arg9 = "/PROTECT"
$allArgs = @($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9)


&$exe $allArgs

    To set the folder to Modify permission for the user, arg5 would be:

    $arg5 = """ + $user + """ + ":RWXD"

    • 2

  3. Here a solution without the need to modify the permissions.

    SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} \ PropertyBag

ThisPCPolicy

REG_SZ

Hide

    This hides the desktop of the options to save as.

    This configuration can be deployed using a GPO.

    Source:

    http://www.sysadmit.com/2018/03/gpo-impedir-guardar-en-el-escritorio.html

    For the rest of the folders it would be:

    Documents:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {f42ee2d3-909f-4907-8871-4c22fc0bf756} \ PropertyBag

    Pictures:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {0ddd015d-b06c-45d5-8c4c-f59713854639} \ PropertyBag

    Videos:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {35286a68-3c57-41a1-bbb1-0eae73d76c95} \ PropertyBag

    Downloads:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {7d83ee9b-2244-4e70-b1f5-5393042af1e4} \ PropertyBag

    Music Folder:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {a0c69a99-21c8-4671-8703-7934162fcf1d} \ PropertyBag

    Desktop Folder:

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} \ PropertyBag
    • 1