We have several Windows workstations which are shared by multiple users. I'm currently considering a scheme where users have their own user accounts and profiles, but they share the same Desktop and Documents folders. Our users are used to sharing things with each other by saving to the desktop, so this wouldn't require any training. My questions about this scheme are:
Is this a terrible idea? The fact that I don't see anybody else doing this makes me think there's something wrong with it, or there's a much easier way to achieve what I want.
I could probably do this by logging into each account, going into properties for the Desktop and Documents, and choosing Location → Move. Is there a way to configure the computer to do this automatically on all new user accounts?
Scenario
Currently, the workstations log into a single local user account. The only sensitive data is stored in a few applications like Outlook. We do not have a domain and have no plans to create one.
As far as I know, we can't simply password-protect Outlook profiles because we use Exchange in cached mode. OST files can't be password protected, and since we use cached mode even if we enabled "Always prompt for credentials" on the Exchange account, a snooping user could just hit cancel and look through cached email. When searching online, the advice to protect Exchange accounts seems to always be "use separate Windows accounts".
Since users love saving everything to their desktop and that's how they share files with each other, using separate accounts would require everyone to remember to put shared documents in special shared folders. I foresee this just causing too much friction to be worth it.
But, if I could create multiple accounts that share the same Desktop and Documents folders, users would be able to share files simply by saving them to the Desktop or Documents folders, and yet sensitive per-user data would still be stored in AppData and therefore be protected by ACLs and the Windows account passwords.
The workstations are running Windows XP, Vista, and Windows 7, and running any version of Outlook from 2003 all the way through 2013.
You can redirect folders to the same location using GPO. This includes the desktop and documents. Just make sure all users have permissions.
That's the technical answer. From a technical viewpoint, this can be done. Is it a good idea? No. Not really. This can be handled by giving each user their own documents and desktop like normal, but making a network share that is automatically mapped to each user on login - again, via GPO.
Yes, this is an aged post, but the info I am sharing is still relevant and valid.
As info, I am doing this across multiple machines that I happen to make use of myself, so that I have a consistent experience and file availability regardless of which box I am on. I do this through the use of DropBox (the client being installed on each machine & logged into my DropBox account) by creating a desktop folder on DropBox and then redirecting each user's desktop on each machine to point at the desktop folder on DropBox's local cache. The same thing could be done with the Documents folder as well, I believe, but haven't gone there as I too LOVE to save everything to my desktop... ;)
Drop box is reasonably secure with data-at-rest (stored encrypted on Amazon's S3 servers, iirc) and data-in-motion (encrypted on the fly), so I think that any concerns regarding security may be mitigated for most reasonable implementations.
Additionally there is the added benefit of DropBox's file historization/versioning.
It might be worth looking into.?.
The best way is to setup a domain server with active directory services and features, share root folder and setup permissions for each users either with read/write credentials.
Todd Wulff's idea is a good one.
I have two profiles on the same Windows 10 computer, both with admin privileges, and I've "moved" the Documents and Desktop folders to the same location on the same drive (right-click on the folder and go to Properties > Location to move it, after setting up a folder with the same name in the new location). On top of that, I use Sync.com (like Dropbox but zero-knowledge vis-à-vis the provider) to sync that same drive to two other computers, where the Documents and Desktop folders are set up in the same way. In other words, I have the same Documents and Desktop folder (and entire documents drive) on three computers and four profiles.
It might not be feasible to have different profiles with admin privileges on the same computer if you only want those two folders shared, as the admins could access everything else too. That's where the Dropbox (or Sync.com) idea comes in. Just move the folders into your Dropbox or Sync folder.
The simple way of doing this is by creating a domain with a domain controller, and having these machines all be members of the domain. Based on your existing security model, however, I think separating accounts by using a domain is far beyond the scope of security you wish to achieve.
The basic way of sharing documents amongst multiple user accounts is the "All Users" profile. It is geared specifically for that. Anything in this profile appears to everyone who logs into the machine.
Make a shared folder on the server. Go to each computer and find their user folder. Go to properties for each item (like my documents, desktop, etc) and change the location to the shared folder.