Discussion:
How to restrict access to desktop
(too old to reply)
Rayees
2007-07-28 06:05:21 UTC
Permalink
Hi

There is a need for me to restrict certain access to the PC used by the
users, since these PCs are connected to AD, I restircted lot of access
through GPO. This includes, USB Storage access, hide C:, A: and D: drive
etc

The objective is, I want the user to restrict file copy to this PC, whatever
file they create those files should be stored in the network drive only.

Now the challenge is, while I hidden the c:\ drive etc, they are anyway
forced to store file on the network drive. These users are using Windows
XP, hence they are able to to store their file in C:\documents &
settings\Username\Desktop.

My question is how to restrict user from copying the files in the desktop,
through GPO

Regards
Rayees
dsbrown10
2007-07-28 15:57:57 UTC
Permalink
Post by Rayees
Hi
There is a need for me to restrict certain access to the PC used by the
users, since these PCs are connected to AD, I restircted lot of access
through GPO. This includes, USB Storage access, hide C:, A: and D: drive
etc
The objective is, I want the user to restrict file copy to this PC, whatever
file they create those files should be stored in the network drive only.
Now the challenge is, while I hidden the c:\ drive etc, they are anyway
forced to store file on the network drive. These users are using Windows
XP, hence they are able to to store their file in C:\documents &
settings\Username\Desktop.
My question is how to restrict user from copying the files in the desktop,
through GPO
Regards
Rayees
hello.

in corporate enviroments folder redirection is typically used. so i
suggest that you enable folder redirection to the users homedrive so
that any data saved to the users desktop will be actually saved in a
location that is backed up.

hope this helps
dave
Rayees
2007-07-28 16:05:15 UTC
Permalink
Hi Dave

Folder redirection is a brilliant idea.

However I would like to know is there any option (thru gpo) by how I can
completely restrict the write access to C: and D:\ drive (which is local
HDD)

Is it possible??
Post by dsbrown10
Post by Rayees
Hi
There is a need for me to restrict certain access to the PC used by the
users, since these PCs are connected to AD, I restircted lot of access
through GPO. This includes, USB Storage access, hide C:, A: and D: drive
etc
The objective is, I want the user to restrict file copy to this PC, whatever
file they create those files should be stored in the network drive only.
Now the challenge is, while I hidden the c:\ drive etc, they are anyway
forced to store file on the network drive. These users are using Windows
XP, hence they are able to to store their file in C:\documents &
settings\Username\Desktop.
My question is how to restrict user from copying the files in the desktop,
through GPO
Regards
Rayees
hello.
in corporate enviroments folder redirection is typically used. so i
suggest that you enable folder redirection to the users homedrive so
that any data saved to the users desktop will be actually saved in a
location that is backed up.
hope this helps
dave
Ken Zhao [MSFT]
2007-07-30 03:24:24 UTC
Permalink
Hello Rayees,

Thank you for using newsgroup!

Based on my knowledge, there is no policy to restrict the write access to
C: and D:\ drives.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| Reply-To: "Rayees" <***@newsgroup.nospam>
| From: "Rayees" <***@newsgroup.nospam>
| References: <***@TK2MSFTNGP05.phx.gbl>
<***@q75g2000hsh.googlegroups.com>
| Subject: Re: How to restrict access to desktop
| Date: Sat, 28 Jul 2007 21:35:15 +0530
| Lines: 48
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Message-ID: <***@TK2MSFTNGP05.phx.gbl>
| Newsgroups: microsoft.public.windows.group_policy
| NNTP-Posting-Host: 59.161.68.147.del-cdma.dialup.vsnl.net.in 59.161.68.147
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.group_policy:4863
| X-Tomcat-NG: microsoft.public.windows.group_policy
|
| Hi Dave
|
| Folder redirection is a brilliant idea.
|
| However I would like to know is there any option (thru gpo) by how I can
| completely restrict the write access to C: and D:\ drive (which is local
| HDD)
|
| Is it possible??
| "dsbrown10" <***@btinternet.com> wrote in message
| news:***@q75g2000hsh.googlegroups.com...
| > On Jul 28, 7:05 am, "Rayees" <***@newsgroup.nospam> wrote:
| >> Hi
| >>
| >> There is a need for me to restrict certain access to the PC used by the
| >> users, since these PCs are connected to AD, I restircted lot of access
| >> through GPO. This includes, USB Storage access, hide C:, A: and D:
drive
| >> etc
| >>
| >> The objective is, I want the user to restrict file copy to this PC,
| >> whatever
| >> file they create those files should be stored in the network drive
only.
| >>
| >> Now the challenge is, while I hidden the c:\ drive etc, they are anyway
| >> forced to store file on the network drive. These users are using
Windows
| >> XP, hence they are able to to store their file in C:\documents &
| >> settings\Username\Desktop.
| >>
| >> My question is how to restrict user from copying the files in the
| >> desktop,
| >> through GPO
| >>
| >> Regards
| >> Rayees
| >
| > hello.
| >
| > in corporate enviroments folder redirection is typically used. so i
| > suggest that you enable folder redirection to the users homedrive so
| > that any data saved to the users desktop will be actually saved in a
| > location that is backed up.
| >
| > hope this helps
| > dave
| >
| >
|
|
|
Rayees
2007-07-30 08:28:11 UTC
Permalink
Hi All

Folder redirection solved my purpose.

Regards
Rayees
Post by Ken Zhao [MSFT]
Hello Rayees,
Thank you for using newsgroup!
Based on my knowledge, there is no policy to restrict the write access to
C: and D:\ drives.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: Re: How to restrict access to desktop
| Date: Sat, 28 Jul 2007 21:35:15 +0530
| Lines: 48
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Newsgroups: microsoft.public.windows.group_policy
| NNTP-Posting-Host: 59.161.68.147.del-cdma.dialup.vsnl.net.in
59.161.68.147
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.group_policy:4863
| X-Tomcat-NG: microsoft.public.windows.group_policy
|
| Hi Dave
|
| Folder redirection is a brilliant idea.
|
| However I would like to know is there any option (thru gpo) by how I can
| completely restrict the write access to C: and D:\ drive (which is local
| HDD)
|
| Is it possible??
| >> Hi
| >>
| >> There is a need for me to restrict certain access to the PC used by the
| >> users, since these PCs are connected to AD, I restircted lot of access
drive
| >> etc
| >>
| >> The objective is, I want the user to restrict file copy to this PC,
| >> whatever
| >> file they create those files should be stored in the network drive
only.
| >>
| >> Now the challenge is, while I hidden the c:\ drive etc, they are anyway
| >> forced to store file on the network drive. These users are using
Windows
| >> XP, hence they are able to to store their file in C:\documents &
| >> settings\Username\Desktop.
| >>
| >> My question is how to restrict user from copying the files in the
| >> desktop,
| >> through GPO
| >>
| >> Regards
| >> Rayees
| >
| > hello.
| >
| > in corporate enviroments folder redirection is typically used. so i
| > suggest that you enable folder redirection to the users homedrive so
| > that any data saved to the users desktop will be actually saved in a
| > location that is backed up.
| >
| > hope this helps
| > dave
| >
| >
|
|
|
Ken Zhao [MSFT]
2007-07-31 07:24:14 UTC
Permalink
Hello Rayees,

Glad to hear Folder Redirection is for your purpose.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| Reply-To: "Rayees" <***@newsgroup.nospam>
| From: "Rayees" <***@newsgroup.nospam>
| References: <***@TK2MSFTNGP05.phx.gbl>
<***@q75g2000hsh.googlegroups.com>
<***@TK2MSFTNGP05.phx.gbl>
<$***@TK2MSFTNGHUB02.phx.gbl>
| Subject: Re: How to restrict access to desktop
| Date: Mon, 30 Jul 2007 13:58:11 +0530
| Lines: 116
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Message-ID: <#***@TK2MSFTNGP05.phx.gbl>
| Newsgroups: microsoft.public.windows.group_policy
| NNTP-Posting-Host: 59.161.68.2.del-cdma.dialup.vsnl.net.in 59.161.68.2
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.group_policy:4882
| X-Tomcat-NG: microsoft.public.windows.group_policy
|
| Hi All
|
| Folder redirection solved my purpose.
|
| Regards
| Rayees
|
|
| ""Ken Zhao [MSFT]"" <v-***@online.microsoft.com> wrote in message
| news:$***@TK2MSFTNGHUB02.phx.gbl...
| > Hello Rayees,
| >
| > Thank you for using newsgroup!
| >
| > Based on my knowledge, there is no policy to restrict the write access
to
| > C: and D:\ drives.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| >
| > --------------------
| > | Reply-To: "Rayees" <***@newsgroup.nospam>
| > | From: "Rayees" <***@newsgroup.nospam>
| > | References: <***@TK2MSFTNGP05.phx.gbl>
| > <***@q75g2000hsh.googlegroups.com>
| > | Subject: Re: How to restrict access to desktop
| > | Date: Sat, 28 Jul 2007 21:35:15 +0530
| > | Lines: 48
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| > | Message-ID: <***@TK2MSFTNGP05.phx.gbl>
| > | Newsgroups: microsoft.public.windows.group_policy
| > | NNTP-Posting-Host: 59.161.68.147.del-cdma.dialup.vsnl.net.in
| > 59.161.68.147
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.group_policy:4863
| > | X-Tomcat-NG: microsoft.public.windows.group_policy
| > |
| > | Hi Dave
| > |
| > | Folder redirection is a brilliant idea.
| > |
| > | However I would like to know is there any option (thru gpo) by how I
can
| > | completely restrict the write access to C: and D:\ drive (which is
local
| > | HDD)
| > |
| > | Is it possible??
| > | "dsbrown10" <***@btinternet.com> wrote in message
| > | news:***@q75g2000hsh.googlegroups.com...
| > | > On Jul 28, 7:05 am, "Rayees" <***@newsgroup.nospam> wrote:
| > | >> Hi
| > | >>
| > | >> There is a need for me to restrict certain access to the PC used
by
| > the
| > | >> users, since these PCs are connected to AD, I restircted lot of
| > access
| > | >> through GPO. This includes, USB Storage access, hide C:, A: and D:
| > drive
| > | >> etc
| > | >>
| > | >> The objective is, I want the user to restrict file copy to this PC,
| > | >> whatever
| > | >> file they create those files should be stored in the network drive
| > only.
| > | >>
| > | >> Now the challenge is, while I hidden the c:\ drive etc, they are
| > anyway
| > | >> forced to store file on the network drive. These users are using
| > Windows
| > | >> XP, hence they are able to to store their file in C:\documents &
| > | >> settings\Username\Desktop.
| > | >>
| > | >> My question is how to restrict user from copying the files in the
| > | >> desktop,
| > | >> through GPO
| > | >>
| > | >> Regards
| > | >> Rayees
| > | >
| > | > hello.
| > | >
| > | > in corporate enviroments folder redirection is typically used. so i
| > | > suggest that you enable folder redirection to the users homedrive so
| > | > that any data saved to the users desktop will be actually saved in a
| > | > location that is backed up.
| > | >
| > | > hope this helps
| > | > dave
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|
dsbrown10
2007-07-31 09:15:35 UTC
Permalink
Post by Ken Zhao [MSFT]
Hello Rayees,
Glad to hear Folder Redirection is for your purpose.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! -www.microsoft.com/security<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: Re: How to restrict access to desktop
| Date: Mon, 30 Jul 2007 13:58:11 +0530
| Lines: 116
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Newsgroups: microsoft.public.windows.group_policy
| NNTP-Posting-Host: 59.161.68.2.del-cdma.dialup.vsnl.net.in 59.161.68.2
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.group_policy:4882
| X-Tomcat-NG: microsoft.public.windows.group_policy
|
| Hi All
|
| Folder redirection solved my purpose.
|
| Regards
| Rayees
|
|
| > Hello Rayees,
| >
| > Thank you for using newsgroup!
| >
| > Based on my knowledge, there is no policy to restrict the write access
to
| > C: and D:\ drives.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! -www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| >
| > --------------------
| > | Subject: Re: How to restrict access to desktop
| > | Date: Sat, 28 Jul 2007 21:35:15 +0530
| > | Lines: 48
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| > | Newsgroups: microsoft.public.windows.group_policy
| > | NNTP-Posting-Host: 59.161.68.147.del-cdma.dialup.vsnl.net.in
| > 59.161.68.147
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.group_policy:4863
| > | X-Tomcat-NG: microsoft.public.windows.group_policy
| > |
| > | Hi Dave
| > |
| > | Folder redirection is a brilliant idea.
| > |
| > | However I would like to know is there any option (thru gpo) by how I
can
| > | completely restrict the write access to C: and D:\ drive (which is
local
| > | HDD)
| > |
| > | Is it possible??
| > | >> Hi
| > | >>
| > | >> There is a need for me to restrict certain access to the PC used
by
| > the
| > | >> users, since these PCs are connected to AD, I restircted lot of
| > access
| > drive
| > | >> etc
| > | >>
| > | >> The objective is, I want the user to restrict file copy to this PC,
| > | >> whatever
| > | >> file they create those files should be stored in the network drive
| > only.
| > | >>
| > | >> Now the challenge is, while I hidden the c:\ drive etc, they are
| > anyway
| > | >> forced to store file on the network drive. These users are using
| > Windows
| > | >> XP, hence they are able to to store their file in C:\documents &
| > | >> settings\Username\Desktop.
| > | >>
| > | >> My question is how to restrict user from copying the files in the
| > | >> desktop,
| > | >> through GPO
| > | >>
| > | >> Regards
| > | >> Rayees
| > | >
| > | > hello.
| > | >
| > | > in corporate enviroments folder redirection is typically used. so i
| > | > suggest that you enable folder redirection to the users homedrive so
| > | > that any data saved to the users desktop will be actually saved in a
| > | > location that is backed up.
| > | >
| > | > hope this helps
| > | > dave
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|
hello again.

you cannot completley restrict access without somesort of redirection.
otherwise users would not be able to loggon. you can restrict access
and hide all local drives, but the users desktop will still be owned
by the logged on user.


dave
Login user
2010-12-08 10:47:16 UTC
Permalink
Hello how to redirect the desktop
Post by Rayees
Hi
There is a need for me to restrict certain access to the PC used by the
users, since these PCs are connected to AD, I restircted lot of access
through GPO. This includes, USB Storage access, hide C:, A: and D: drive
etc
The objective is, I want the user to restrict file copy to this PC, whatever
file they create those files should be stored in the network drive only.
Now the challenge is, while I hidden the c:\ drive etc, they are anyway
forced to store file on the network drive. These users are using Windows
XP, hence they are able to to store their file in C:\documents &
settings\Username\Desktop.
My question is how to restrict user from copying the files in the desktop,
through GPO
Regards
Rayees
Post by dsbrown10
hello.
in corporate enviroments folder redirection is typically used. so i
suggest that you enable folder redirection to the users homedrive so
that any data saved to the users desktop will be actually saved in a
location that is backed up.
hope this helps
dave
Post by Rayees
Hi Dave
Folder redirection is a brilliant idea.
However I would like to know is there any option (thru gpo) by how I can
completely restrict the write access to C: and D:\ drive (which is local
HDD)
Is it possible??
Post by Ken Zhao [MSFT]
Hello Rayees,
Thank you for using newsgroup!
Based on my knowledge, there is no policy to restrict the write access to
C: and D:\ drives.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
drive
only.
Windows
Post by Florian Frommherz [MVP]
Howdie!
What about taking away "Write" rights to the folder? You would need to
have a script to change the NFTS permissions (since they lie on a file
server) and need to asure that user's are not owners of the
%username%-folder (so they can't change back permissions).
Both can be done by scripting. See Xcacls.vbs script or the "Hey
http://support.microsoft.com/kb/825751
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan06/hey0111.mspx
This approach may not be what you were searching for - but at least a
starting point from which you can start making a new plan...
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Post by Rayees
Hi All
Folder redirection solved my purpose.
Regards
Rayees
Post by Ken Zhao [MSFT]
Hello Rayees,
Glad to hear Folder Redirection is for your purpose.
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
to
microsoft.public.windows.group_policy:4863
can
local
by
Post by dsbrown10
hello again.
you cannot completley restrict access without somesort of redirection.
otherwise users would not be able to loggon. you can restrict access
and hide all local drives, but the users desktop will still be owned
by the logged on user.
dave
Submitted via EggHeadCafe
Microsoft ASP.NET For Beginners
http://www.eggheadcafe.com/training-topic-area/ASP-NET/7/ASP.aspx
cw1972
2010-12-09 10:59:21 UTC
Permalink
Post by Login user
Hello how to redirect the desktop
You can redirect the desktop by using Active Directory Group Policy,
the setting is in the following place:

- User Configuration
-- Windows Settings
--- Folder Redirection (you get the options of four folder locations
to redirect)
---- Application Data
----- Desktop
------ My Documents
------- Start Menu

Florian Frommherz [MVP]
2007-07-30 08:27:51 UTC
Permalink
Howdie!
Post by Rayees
My question is how to restrict user from copying the files in the desktop,
through GPO
What about taking away "Write" rights to the folder? You would need to
have a script to change the NFTS permissions (since they lie on a file
server) and need to asure that user's are not owners of the
%username%-folder (so they can't change back permissions).

Both can be done by scripting. See Xcacls.vbs script or the "Hey
Scripting Guy" series:

http://support.microsoft.com/kb/825751
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan06/hey0111.mspx

This approach may not be what you were searching for - but at least a
starting point from which you can start making a new plan...

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Loading...