When working in IT you sometimes have to get creative to get the necessary results. For preventing users to Save to the Desktop there are two ways of doing it. The Manual way or the Automated way.
Using Group Policies there is no quick fix and getting Creative was the only way to get the necessary done. Bearing in mind that when I did this I went Full Control Freak and Prevented all Local Saving. This included Desktop, Documents, Pictures, Music, Downloads. All the Local Disk are hidden. The purpose of this is to force users to Save to either: Shared Folders, One Drive or Share Point. Which-Ever one is applicable.
Planning it all Out
While setting up the GPO I had various ideas. Like setting the Permission on the desktop directly via GPO. This did not work as the File System setting is under Computer Configuration and it does not apply to Users Files, Regardless of how specific you try and get with the Folder Path. Secondly, point the Desktop to the Public Desktop. Although this worked it creates duplicate Icons. Unlike the Public desktop users have rights to save in public documents so this also did not work.
The Process
- Create a Location where I can control the Permissions
- Set the Required Permission
- Use Folder Redirection to point the user’s files
If you create the Location on the Local Machine this will assist you with controlling Laptops easier aswell.
CC – Profile Lock Down – Folder Creation
The First step is creating the folder location. To create this open Group Policy Management, open Group Policy Object and Create a New Group Policy.
You can Name it according to your Naming Convention. As per the heading above, this policy will be CC for Computer Configuration. Profile Lock Down, the Purpose of the Policy. Folder Creation, the specific section it will be handling.
Edit the newly created Policy and browse to:
Computer Configuration > Preferences > Windows Settings > Folders
On the right side of the screen, right-click and choose New Folder.
The First Folder you Create is C:\ProfilePreference. After this, you can create any folder you intend to Redirect within this Folder, Example : C:\ProfilePreference\Desktop.
When done start rolling out to a Test OU, make sure the creations is successful and all folders are created.
CC – Profile Lock Down – Folder Permissions
The next step is assigning the correct permissions to the Folders. Even though Read-only is Ticked there is still User permissions assigned that allows editing. To Resolve this we need to assign and overwrite our own permissions. What is nice about this is when any user logins the permission are correct for Everyone.
Open Group Policy Object and Create a New Group Policy, Edit the newly created Policy and browse to:
Computer Configuration > Policies > Windows Settings > Security Settings > File System. On the Right-side, Right-Click and choose Add File…
Browse to the newly Created Folder: C:\ProfilePreference and Click OK.
This will open the well know Security Window. Remove all users and groups and assign the Following Three group. Administrators with Full Control. Authenticated Users with only Read Access and Lastly Domain Users with only Read Access.
Once the Permission is set and you click ok you will be presented with the Inheritance screen. To find out what each option means please Read Group Policy Grant Access to Folders. Select the Second option to Replace Permissions.
Once done again apply on the Test OU and make sure the permissions takes affect. If everything is successfull it is time to warn the users.
Advise them of the Block on Saving Locations. Where they will be able to save and that documents will disappear if they don’t move the files to the correct locations. Apply both these Policies to the OU’s you require and let it run for a few days. This is dependant on your Replication Process and users access to the Domain controller pushing the Policies. If you have a lot of Travelling users this might take a while longer to successfully apply to all Computers.
UC – Profile Lock Down – Folder Redirection
The final section to complete this is to set up Folder Redirect. If you have not guessed it yet we are redirecting all User Locations to the newly created Folders.
Desktop Icons
The one thing that you need to take note of is the Desktop Folder is Empty so no desktop icons will display. Only Icons on the Public Desktop (C:\Users\Public\Desktop) will show. This gives you the ability to prevent Desktop Icons from being deleted and make sure that all Users always has the same icons if you control this from a separate GPO. Just be careful to not go too overboard as some users will have custom programs\links they use.
Open Group Policy Object and Create a New Group Policy, Edit the newly created Policy and browse to:
User Configuration > Policies > Windows Settings > Folder Redirection. Below you will see each folder you can Redirect. Simply right-click anyone and choose Properties.
For Settings: Choose Basic – Redirect Everyone’s Folder to the Same Location.
The Target Folder Location on the dropdown choose – Redirects to the following Location and in the root paste the newly created Path.
On the Setting, Tab un-tick all Option and with Policy Removal choose: Leave the folder in the new location when policy is removed.
Test the Policy on a Test OU and if successful and the necessary results are achieved you can Roll out as per your Preferences.
i have successfully done all the steps and applied it perfectly.
However, when i try to save files it says
“you do not have permissions to save to c:profilepreference/*anyfolder*. do you want to save on your *userprofile*
Then it saving to that location and the user can save and store there as well.
Is there a way to eliminate the prompt?
Thanks
I have this currently running on a Windows 10 Pro environment with no prompts except for Admin Credentials when Trying to create a File\Folder.
Which Operating system are the users using?
Windows 10 Pro also.
When i tried downloading a file in the internet, the save location appears and when i choose the the downloads/documents folder it says ‘you do not have permissions to save C:/ProfilePreference/Downloads. Do you want to save it to C:/Users/%userprofile%/Downloads
I think it created 2 folders after the redirection.
What do you think I missed?
Thanks,Kim
Ok, I did some testing today and replicated exactly the same thing you are explaining. Interestingly enough this only happens from browsers (IE, Firefox, and Chrome). When doing the same thing from an office application it goes into a loop trying to save in the “My Documents”. I did not pick this up cause I set the default download location for the users when setting up the account. As for stopping the Pop-up, not a route I would take as you want to give them the option to save in a predefined location. I am still looking into this and will advise once I found a solution.
Thanks for your response! i appreciate this. i will wait for your response and i really want to learn from you!
hey is there any update on this, trying to figure out for my environment, please let me know. thankyou.