Restrict user from saving on their Desktop, My Documents, My Music, My Videos, My Pictures etc. via GPO
It's very easy if you are using Windows Server 2008.
- Create a Group Policy Object, go to
- Right click and add
%userprofile%\Desktop....etc for the different folders that you want to restrict access to.
- Specify the rights for the specified folder(s) for users or user groups.
This is possible with a logon script, but it's a bit tricky, and would require testing to ensure that it works correctly for the target environment. It makes assumptions about the ACE entries in the ACL (system, Administrators, and the user), and that the user is the owner (they typically are). It isn't bullet-proof security, but it can help minimize the casual "save a 2 GB iso file to the roaming profile desktop folder" scenario.
In broad strokes, when a user logs on, at the end of the last logon script, ACL their Desktop and other locations so that they have Read and Execute permission.
In the logOFF script, revert the permissions back to normal.
At the start of the logON script, there should also be a check to reset the permissions to normal in the event that the logoff script failed.
There are a variety of ACL tools to use: icacls, fileacl, setacl.
Determining the correct path can be performed using the following PowerShell syntax:
That should be used to ensure that the operation is performed on the redirected location, and not the local location.
To obtain a list of all the Environment Special Folder locations:
That typically returns:
Note that there are both Desktop and DesktopDirectory special folders.
Here is a sample PowerShell command to use FileAcl set the Desktop folder to Read and Execute for a user:
$user = [System.Environment]::ExpandEnvironmentVariables("%USERDOMAIN%\%USERNAME%") $exe = "C:\util\FileAcl\FileAcl.exe " $arg1 = [System.Environment]::GetFolderPath("DesktopDirectory") $arg2 = "/S" $arg3 = "`"NT AUTHORITY\SYSTEM`":F" $arg4 = "/S" $arg5 = "`"" + $user + "`"" + ":RX" $arg6 = "/S" $arg7 = "`"BUILTIN\Administrators`":F" $arg8 = "/REPLACE" $arg9 = "/PROTECT" $allArgs = @($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9) &$exe $allArgs
To set the folder to Modify permission for the user, arg5 would be:
$arg5 = "
"" + $user + """ + ":RWXD"