locking down the desktop using windows server 2003?

ColdAsIce

ColdAsIce

ColdAsIce

Soldato
Joined
26 May 2006
Posts
6,207
Location
Edinburgh
Basicallly looking for some help from all you IT Techs out there.

Working in a school at the moment and I cant see any options in windows server 2003 for a policy to lock the desktop down. So that they cant delete icons from the desktop or from start > programs etc. Currently removed access to the control panel, run command, cmd prompt and hidden the C: Drive but as I said they can still simply delete icons.

Any advice on how to solve this problem ?

Many thanks
 
Depends how the PCs are setup but the desktop icons and start menu icons will be formed from a combination of the All Users profile and the users profile. So denying permissions on All Users should stop them from being able to delete common icons. If you then also place all the required desktop icons in the All Users profile in the Desktop folder and have the same perms applied they won;t be able to remove desktop icons but they will be able to add new icons which only that user will have.

Also have a look a mandatory profiles, used these within NT4 and XP before to force effectively a default of the profile each time a user logs in but no settings changes are saved in this mode.
 
Yea, Mandatory might be easiest, but like mentioned above, it does not save changes to things like the desktop. So will the people be needing to save work etc?

*Edit* Or just make sure, on the security tab on each icon, that only read and execute is set to allow.. I think this "might" prevent users from being to modify, delete etc.
 
Last edited:
The best solution to this is to use folder redirection in a group policy.

You can redirect everyones desktop to a folder (or different folders for different groups) in which you can put the icons they need and lock that down with ntfs permissions to prevent modify and write (delete or add icons)

You can also setup a start menu in the same way with the shortcuts they need and locked down the same way.

I have set this up at a college and it works a treat and means that you don't have to bother with mandatory profiles which are a pain in the harris
 
Ole Ftang said:
The best solution to this is to use folder redirection in a group policy.

You can redirect everyones desktop to a folder (or different folders for different groups) in which you can put the icons they need and lock that down with ntfs permissions to prevent modify and write (delete or add icons)

You can also setup a start menu in the same way with the shortcuts they need and locked down the same way.

I have set this up at a college and it works a treat and means that you don't have to bother with mandatory profiles which are a pain in the harris
Click to expand...

Thats not a bad idea. maybe i should try that where I work, seems a lot better than mandatory profiles.
 
Guys I am having no luck with this at all.

Going to write down what I am doing step by step and hopefully someone can direct me in what I am doing wrong.

Sooo I go into the Group Policy Management. I then edit the "students" gpo.

I go into user configuration > windows settings > folder redirection > desktop (right click | properties)

I then select (Basic - Redirect everyones folder to the same location)

Target folder location = Redirect to the following location

in root path I type the following location: \\ic-apps1\share

This is the location to the server that contains 5 shortcut icons being word, excel, access etc.

When I now login as a student none of those icons appear on the desktop :/ HELP :D
 
The policy might not have been applied straight away.

to force a policy refresh straight away do the following.

start > run > type cmd > press enter > gpupdate /force > press enter

Then re-log in using the student log in.
 
ColdAsIce said:
Guys I am having no luck with this at all.

Going to write down what I am doing step by step and hopefully someone can direct me in what I am doing wrong.

Sooo I go into the Group Policy Management. I then edit the "students" gpo.

I go into user configuration > windows settings > folder redirection > desktop (right click | properties)

I then select (Basic - Redirect everyones folder to the same location)

Target folder location = Redirect to the following location

in root path I type the following location: \\ic-apps1\share

This is the location to the server that contains 5 shortcut icons being word, excel, access etc.

When I now login as a student none of those icons appear on the desktop :/ HELP :D
Click to expand...

Can you navigate to that share whilst logged in as a pupil? either the permissions on it are too restrictive or the path is wrong somehow!
 
What Organisational Unit is the GPO linked to?

Is the student you are logging on as in that OU?

In the Group Policy Management Console there is an option to test a GPO on a specific user, group or OU. Use that to see what will apply to the user you are logging on as. I have forgotten the name of the option but it is at the bottom of the left hand window.

There is also the Resultant Set of Policy command line tool which can help.
 
You must log in or register to reply here.
Back
Top Bottom