Prevent users from saving to desktop Windows 10 GPO

1. So near and yet so far...

   I have given up trying to find a simple way of stopping the users saving files on the desktop and so I have started looking at folder redirection.

   I have it up and running on a test user in a test OU using the following settings:

   Created a Security Group with a test user in.

   GPO configured:

   Scope - Security Filtering [the security group I created as it failed without this - a lot of info out there doesn't mention this].
   Delegation - Authenticated users, Admins, System and the security group I created.

   User Configuration > Policies > Windows Settings > Folder Redirection

   Desktop - Basic - Redirect everyone's folder to the same location
   Target Folder Location - Create a folder for each user under the root path
   Root Path - \\SERVER\HOMESHARE$\

   Settings - Move the contents... [I have not ticked the 'Grant exclusive rights' as I read it causes issues with permissions]...
   Policy Removal - Redirect the folder back [this doesn't seem to remove the folders in the share though]...

   Although that part of it works well, I am unsure what steps I need to do now to make it read-only...

   The only thing is, I have used their home folder to redirect to and due to that fact, the Desktop folder shows the 'user' as the 'owner'.

   Can I now make the folder read-only for the owner?

   Because I have also read that if the user is not the owner of the share, you must tick 'grant exclusive rights' or the redirection will fail...

   Should I just create a seperate share for the folder redirection or try to change the properties of the folders inside the Home folders?

2. I'm not wholly sure what you're trying to do here.
   As far as I can see, you want to give each user their own desktop that they can't change?

   Why not just give everyone the same desktop [or have a couple of different ones based on job roles]? For example here we have:
   Teachers > \\server\redirect$\desktop\Teaching_Staff
   pupils > \\server\redirect$\desktop\Student

   and so on with about 5 different desktops for finance, admin and so on.

   If you want them each to have their own desktop folder then I'd go for a new share rather than messing with the home folders [I've really screwed up home folders by futzing with the permissions before].

3. 2 Thanks to Rob_D:

   Koldov[16th January 2020], mhaddock[17th September 2020]

4. Why not just redirect the user's desktop to a folder in their home drive and leave it at that? Stops issues with profile growth and replication and is super easy to implement.

   With that, there's no reason to stop users saving files on the desktop as they just end up in the home drive anyway!

5. 4 Thanks to FishCustard:

   eddyc[17th January 2020], hallb15[4th February 2020], Koldov[16th January 2020], Rob_D[16th January 2020]

6. Originally Posted by Rob_D

   As far as I can see, you want to give each user their own desktop that they can't change?

   This is just for students, but that's about the size of it. I thought folder redirection for the desktop folder and making it read-only was how you did it... No?

   Originally Posted by FishCustard

   Why not just redirect the user's desktop to a folder in their home drive and leave it at that?!

   The thing is that as we are a very small school with Early Years students and they all have a shared 'class' log on. This obviously means that they have a shared class home drive [but they have have their own folders within that]. They have a local profile on the machine, so if they save to the desktop [or documents folders] that stays on the machine [half the time they don't even know where they have saved their stuff]. It may work but I just see it as complicating matters if they have a 'Desktop' folder in there too.

7. Originally Posted by Koldov

   The thing is that as we are a very small school with Early Years students and they all have a shared 'class' log on. This obviously means that they have a shared class home drive [but they have have their own folders within that]. They have a local profile on the machine, so if they save to the desktop [or documents folders] that stays on the machine [half the time they don't even know where they have saved their stuff]. It may work but I just see it as complicating matters if they have a 'Desktop' folder in there too.

   If you redirect the Desktop to a folder under the home drive, nothing saved there will go to the local profile, solving the "staying-on-the-machine" issue. It doesn't solve the "files belong in the students' individual folders" issue, but then again there's nothing stopping them from just saving in the root of the home drive either.

   It's a partial solution worth considering at least.

8. Thanks to FishCustard from:

   Koldov[17th January 2020]

9. If they can't change it, then why do they need on each?

   I mean I've go everyone [or everyone in a specific group] redirected to the same [read only] folder so I can control the desktop icons centrally. Which IMO is the main reason for doing desktop redirect like that.

   The main [or maybe only] reason to give everyone their own desktop would be so they can customise it. In which case FishCustard's Home drive solution is ideal.

10. Pt 2

    Why not redirect the desktop to the root of the home drive. And the my documents, my pictures, my music. Then wherever they go it's the same place.

    Sure you now have desktop full of "studentName" folders [which might be a GDPR issue], but it's a solution.

    Or map to a random network share without the "make a folder for each user" option and make it read only. Then they can't save to the desktop and it's the same wherever they log in. Just make sure admin has access, so someone can update icons if required.

11. Thanks to Rob_D from:

    Koldov[17th January 2020]

12. Rep Power12

    We redirect the desktop to a folder in their home drive. That way their desktop will follow them around and they can use it as they wish, and those that like a clean desktop can keep it that way. We haven't advertised to staff that they can use the desktop, so only those who discover it themselves or ask us will know. Also stops us getting any aggro when the powers that be decide they want to use the desktop wallpaper as a billboard

13. 2 Thanks to ComboSmith:

    FishCustard[17th January 2020], Koldov[17th January 2020]

14. I redirect the desktop to a single desktop folder on the server. Any shortcuts I put in there all pupils get instantly, the folder security on the server is set to be read only for all pupils. Only me and my techie can put stuff in there. It works great, as we generally have the same software/shortcuts on all pupil pc's, they cant save anything to the desktop ever, and I can put shortcut or a folder or even a document on there and it takes 2 seconds to apply over 500 pcs.

    I've got the same set up for teachers too, a dedicated teacher desktop folder shared with teacher shortcuts and useful links.

    Works great!

15. 3 Thanks to PotNoodleTech:

    Kelechi93[5th March 2020], Koldov[17th January 2020], Rob_D[17th January 2020]

16. Sorry, a bit new to the folder redirection thing, so maybe my OP was a little vague or a little too verbose.

    I have been trying to stop the children saving to the desktop, I've locked down as many GPOs as I can find but still cannot stop them doing it [only certain programs do it, they can't do it just through explorer or anything].

    Originally Posted by AButters

    I redirect the desktop to a single desktop folder on the server. Any shortcuts I put in there all pupils get instantly, the folder security on the server is set to be read only for all pupils. Only me and my techie can put stuff in there. It works great, as we generally have the same software/shortcuts on all pupil pc's, they cant save anything to the desktop ever, and I can put shortcut or a folder or even a document on there and it takes 2 seconds to apply over 500 pcs.

    I've got the same set up for teachers too, a dedicated teacher desktop folder shared with teacher shortcuts and useful links.

    Works great!

    Yes, this is what I'm looking for - just need a simple 'how to' really [what with permissions and all] after reading that if you don't tick the box for 'Grant exclusive rights' the folder redirection will not work - maybe I was getting confused as putting them in the home drive made them the owner of the folder... I doubt I would get away with locking down teacher desktops though...

    Originally Posted by ComboSmith

    We redirect the desktop to a folder in their home drive. That way their desktop will follow them around and they can use it as they wish, and those that like a clean desktop can keep it that way. We haven't advertised to staff that they can use the desktop, so only those who discover it themselves or ask us will know. Also stops us getting any aggro when the powers that be decide they want to use the desktop wallpaper as a billboard

    As we have early years to Junior school age students I wanted something simple [it will only confuse them finding folders in their home drive for Desktop, Documents, Pictures etc.] and that would just give them more options to save their work in the wrong place [they have a folder with their name in their home drive].

    Originally Posted by Rob_D

    Pt 2

    Why not redirect the desktop to the root of the home drive. And the my documents, my pictures, my music. Then wherever they go it's the same place.

    Sure you now have desktop full of "studentName" folders [which might be a GDPR issue], but it's a solution.

    Or map to a random network share without the "make a folder for each user" option and make it read only. Then they can't save to the desktop and it's the same wherever they log in. Just make sure admin has access, so someone can update icons if required.

    Yes, new share from scratch is probably the way to go [think I will just leave the home drive bit alone, so I don't have to worry about permissions being inherited or other conflicting GPOs], I just need to get my head around what to tick in the folder redirection GPO.

    No worries about student names, not sure if GDPR is that strict? Anyway, as in my OP they have 'class' logons.

    Originally Posted by FishCustard

    If you redirect the Desktop to a folder under the home drive, nothing saved there will go to the local profile, solving the "staying-on-the-machine" issue. It doesn't solve the "files belong in the students' individual folders" issue, but then again there's nothing stopping them from just saving in the root of the home drive either.

    It's a partial solution worth considering at least.

    I think I will go for a desktop folder share away from the home drives, I've got a load of GPOs keeping them away from all the other drives and at least if they save to the root of their home drive it is still there I guess. This was really just the last piece if the puzzle I hope, I thought I had locked down everything, but still kept finding random files on the desktop.

17. Well, predictably this didn't work for me....

    Untitled.jpg

    I kind of knew it wouldn't as it is a read-only folder!

    Anybody care to share the GPO and share settings to get this working?

18. Rep Power12

    Policy.jpg

    These are the settings we use, you would just need to change the share location to a location on a file server where the user groups have at least read access

19. Thanks to ComboSmith from:

    Koldov[20th January 2020]

20. Rep Power11

    This is what we use for our Student desktop redirection. Enter the UNC path where its located, make sure the users only have 'Read' permissions in the Share properties, and only 'Read' in the Security section too and all should be good.

    Annotation 2020-01-20 091847.jpg

21. Thanks to meakjoe from:

    Koldov[20th January 2020]

22. Originally Posted by ComboSmith

    Policy.jpg

    These are the settings we use, you would just need to change the share location to a location on a file server where the user groups have at least read access

    Originally Posted by meakjoe

    This is what we use for our Student desktop redirection. Enter the UNC path where its located, make sure the users only have 'Read' permissions in the Share properties, and only 'Read' in the Security section too and all should be good.

    Annotation 2020-01-20 091847.jpg

    Unfortunately I'm not redirecting the folders to their 'home drive' - it seems that only having 'read' permissions is stopping the user's log-on creating the folders.

23. Rep Power11

    We don't redirect to the Home Drive either, we have a dedicated folder which is then shared as read only and redirect to that. That way all students have the same desktop that they can't edit or save to. This is what you're trying to achieve isn't it?

Thread Information

Video liên quan