Windows 10 Thread, Stop users saving to desktop [folder redirect - read only]. in Technical; So near and yet so far... I have given up trying to find a simple way of stopping the users ...
So near and yet so far...
I have given up trying to find a simple way of stopping the users saving files on the desktop and so I have started looking at folder redirection.
I have it up and running on a test user in a test OU using the following settings:
Created a Security Group with a test user in.
GPO configured:
Scope - Security Filtering [the security group I created as it failed without this - a lot of info out there doesn't mention this].
Delegation - Authenticated users, Admins, System and the security group I created.User Configuration > Policies > Windows Settings > Folder Redirection
Desktop - Basic - Redirect everyone's folder to the same location
Target Folder Location - Create a folder for each user under the root path
Root Path - \\SERVER\HOMESHARE$\Settings - Move the contents... [I have not ticked the 'Grant exclusive rights' as I read it causes issues with permissions]...
Policy Removal - Redirect the folder back [this doesn't seem to remove the folders in the share though]...Although that part of it works well, I am unsure what steps I need to do now to make it read-only...
The only thing is, I have used their home folder to redirect to and due to that fact, the Desktop folder shows the 'user' as the 'owner'.
Can I now make the folder read-only for the owner?
Because I have also read that if the user is not the owner of the share, you must tick 'grant exclusive rights' or the redirection will fail...
Should I just create a seperate share for the folder redirection or try to change the properties of the folders inside the Home folders?
I'm not wholly sure what you're trying to do here.
As far as I can see, you want to give each user their own desktop that they can't change?Why not just give everyone the same desktop [or have a couple of different ones based on job roles]? For example here we have:
Teachers > \\server\redirect$\desktop\Teaching_Staff
pupils > \\server\redirect$\desktop\Studentand so on with about 5 different desktops for finance, admin and so on.
If you want them each to have their own desktop folder then I'd go for a new share rather than messing with the home folders [I've really screwed up home folders by futzing with the permissions before].
2 Thanks to Rob_D:
Koldov[16th January 2020], mhaddock[17th September 2020]
Why not just redirect the user's desktop to a folder in their home drive and leave it at that? Stops issues with profile growth and replication and is super easy to implement.
With that, there's no reason to stop users saving files on the desktop as they just end up in the home drive anyway!
4 Thanks to FishCustard:
eddyc[17th January 2020], hallb15[4th February 2020], Koldov[16th January 2020], Rob_D[16th January 2020]
- This is just for students, but that's about the size of it. I thought folder redirection for the desktop folder and making it read-only was how you did it... No?Originally Posted by Rob_D
As far as I can see, you want to give each user their own desktop that they can't change?
The thing is that as we are a very small school with Early Years students and they all have a shared 'class' log on. This obviously means that they have a shared class home drive [but they have have their own folders within that]. They have a local profile on the machine, so if they save to the desktop [or documents folders] that stays on the machine [half the time they don't even know where they have saved their stuff]. It may work but I just see it as complicating matters if they have a 'Desktop' folder in there too.Originally Posted by FishCustardWhy not just redirect the user's desktop to a folder in their home drive and leave it at that?!
- If you redirect the Desktop to a folder under the home drive, nothing saved there will go to the local profile, solving the "staying-on-the-machine" issue. It doesn't solve the "files belong in the students' individual folders" issue, but then again there's nothing stopping them from just saving in the root of the home drive either.Originally Posted by Koldov
The thing is that as we are a very small school with Early Years students and they all have a shared 'class' log on. This obviously means that they have a shared class home drive [but they have have their own folders within that]. They have a local profile on the machine, so if they save to the desktop [or documents folders] that stays on the machine [half the time they don't even know where they have saved their stuff]. It may work but I just see it as complicating matters if they have a 'Desktop' folder in there too.
It's a partial solution worth considering at least.
Thanks to FishCustard from:
Koldov[17th January 2020]
If they can't change it, then why do they need on each?
I mean I've go everyone [or everyone in a specific group] redirected to the same [read only] folder so I can control the desktop icons centrally. Which IMO is the main reason for doing desktop redirect like that.
The main [or maybe only] reason to give everyone their own desktop would be so they can customise it. In which case FishCustard's Home drive solution is ideal.
Pt 2
Why not redirect the desktop to the root of the home drive. And the my documents, my pictures, my music. Then wherever they go it's the same place.
Sure you now have desktop full of "studentName" folders [which might be a GDPR issue], but it's a solution.
Or map to a random network share without the "make a folder for each user" option and make it read only. Then they can't save to the desktop and it's the same wherever they log in. Just make sure admin has access, so someone can update icons if required.
Thanks to Rob_D from:
Koldov[17th January 2020]
- Rep Power12
We redirect the desktop to a folder in their home drive. That way their desktop will follow them around and they can use it as they wish, and those that like a clean desktop can keep it that way. We haven't advertised to staff that they can use the desktop, so only those who discover it themselves or ask us will know. Also stops us getting any aggro when the powers that be decide they want to use the desktop wallpaper as a billboard
2 Thanks to ComboSmith:
FishCustard[17th January 2020], Koldov[17th January 2020]
I redirect the desktop to a single desktop folder on the server. Any shortcuts I put in there all pupils get instantly, the folder security on the server is set to be read only for all pupils. Only me and my techie can put stuff in there. It works great, as we generally have the same software/shortcuts on all pupil pc's, they cant save anything to the desktop ever, and I can put shortcut or a folder or even a document on there and it takes 2 seconds to apply over 500 pcs.
I've got the same set up for teachers too, a dedicated teacher desktop folder shared with teacher shortcuts and useful links.
Works great!
3 Thanks to PotNoodleTech:
Kelechi93[5th March 2020], Koldov[17th January 2020], Rob_D[17th January 2020]
Sorry, a bit new to the folder redirection thing, so maybe my OP was a little vague or a little too verbose.
I have been trying to stop the children saving to the desktop, I've locked down as many GPOs as I can find but still cannot stop them doing it [only certain programs do it, they can't do it just through explorer or anything].
Yes, this is what I'm looking for - just need a simple 'how to' really [what with permissions and all] after reading that if you don't tick the box for 'Grant exclusive rights' the folder redirection will not work - maybe I was getting confused as putting them in the home drive made them the owner of the folder... I doubt I would get away with locking down teacher desktops though...Originally Posted by AButtersI redirect the desktop to a single desktop folder on the server. Any shortcuts I put in there all pupils get instantly, the folder security on the server is set to be read only for all pupils. Only me and my techie can put stuff in there. It works great, as we generally have the same software/shortcuts on all pupil pc's, they cant save anything to the desktop ever, and I can put shortcut or a folder or even a document on there and it takes 2 seconds to apply over 500 pcs.
I've got the same set up for teachers too, a dedicated teacher desktop folder shared with teacher shortcuts and useful links.
Works great!
As we have early years to Junior school age students I wanted something simple [it will only confuse them finding folders in their home drive for Desktop, Documents, Pictures etc.] and that would just give them more options to save their work in the wrong place [they have a folder with their name in their home drive].Originally Posted by ComboSmithWe redirect the desktop to a folder in their home drive. That way their desktop will follow them around and they can use it as they wish, and those that like a clean desktop can keep it that way. We haven't advertised to staff that they can use the desktop, so only those who discover it themselves or ask us will know. Also stops us getting any aggro when the powers that be decide they want to use the desktop wallpaper as a billboard
Yes, new share from scratch is probably the way to go [think I will just leave the home drive bit alone, so I don't have to worry about permissions being inherited or other conflicting GPOs], I just need to get my head around what to tick in the folder redirection GPO.Originally Posted by Rob_DPt 2
Why not redirect the desktop to the root of the home drive. And the my documents, my pictures, my music. Then wherever they go it's the same place.
Sure you now have desktop full of "studentName" folders [which might be a GDPR issue], but it's a solution.
Or map to a random network share without the "make a folder for each user" option and make it read only. Then they can't save to the desktop and it's the same wherever they log in. Just make sure admin has access, so someone can update icons if required.
No worries about student names, not sure if GDPR is that strict? Anyway, as in my OP they have 'class' logons.
I think I will go for a desktop folder share away from the home drives, I've got a load of GPOs keeping them away from all the other drives and at least if they save to the root of their home drive it is still there I guess. This was really just the last piece if the puzzle I hope, I thought I had locked down everything, but still kept finding random files on the desktop.Originally Posted by FishCustardIf you redirect the Desktop to a folder under the home drive, nothing saved there will go to the local profile, solving the "staying-on-the-machine" issue. It doesn't solve the "files belong in the students' individual folders" issue, but then again there's nothing stopping them from just saving in the root of the home drive either.
It's a partial solution worth considering at least.
Well, predictably this didn't work for me....
Untitled.jpg
I kind of knew it wouldn't as it is a read-only folder!
Anybody care to share the GPO and share settings to get this working?
- Rep Power12
Policy.jpg
These are the settings we use, you would just need to change the share location to a location on a file server where the user groups have at least read access
Thanks to ComboSmith from:
Koldov[20th January 2020]
- Rep Power11
This is what we use for our Student desktop redirection. Enter the UNC path where its located, make sure the users only have 'Read' permissions in the Share properties, and only 'Read' in the Security section too and all should be good.
Annotation 2020-01-20 091847.jpg
Thanks to meakjoe from:
Koldov[20th January 2020]
- Originally Posted by ComboSmithPolicy.jpg
These are the settings we use, you would just need to change the share location to a location on a file server where the user groups have at least read access
Unfortunately I'm not redirecting the folders to their 'home drive' - it seems that only having 'read' permissions is stopping the user's log-on creating the folders.Originally Posted by meakjoeThis is what we use for our Student desktop redirection. Enter the UNC path where its located, make sure the users only have 'Read' permissions in the Share properties, and only 'Read' in the Security section too and all should be good.Annotation 2020-01-20 091847.jpg
- Rep Power11
We don't redirect to the Home Drive either, we have a dedicated folder which is then shared as read only and redirect to that. That way all students have the same desktop that they can't edit or save to. This is what you're trying to achieve isn't it?
Thread Information
There are currently 1 users browsing this thread. [0 members and 1 guests]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules