Group Policy Prevent Saving to Desktop

(Last Updated On: 2019-08-30)

When working in IT you sometimes have to get creative to get the necessary results. For preventing users to Save to the Desktop there are two ways of doing it. The Manual way or the Automated way.

Using Group Policies there is no quick fix and getting Creative was the only way to get the necessary done. Bearing in mind that when I did this I went Full Control Freak and Prevented all Local Saving. This included Desktop, Documents, Pictures, Music, Downloads. All the Local Disk are hidden. The purpose of this is to force users to Save to either: Shared Folders, One Drive or Share Point. Which-Ever one is applicable.

Planning it all Out

While setting up the GPO I had various ideas. Like setting the Permission on the desktop directly via GPO. This did not work as the File System setting is under Computer Configuration and it does not apply to Users Files, Regardless of how specific you try and get with the Folder Path. Secondly, point the Desktop to the Public Desktop. Although this worked it creates duplicate Icons. Unlike the Public desktop users have rights to save in public documents so this also did not work.

The Process

  • Create a Location where I can control the Permissions
  • Set the Required Permission
  • Use Folder Redirection to point the user’s files

If you create the Location on the Local Machine this will assist you with controlling Laptops easier aswell.

CC – Profile Lock Down – Folder Creation

The First step is creating the folder location. To create this open Group Policy Management, open Group Policy Object and Create a New Group Policy.

You can Name it according to your Naming Convention. As per the heading above, this policy will be CC for Computer Configuration. Profile Lock Down, the Purpose of the Policy. Folder Creation, the specific section it will be handling.

Edit the newly created Policy and browse to:
Computer Configuration > Preferences > Windows Settings > Folders
On the right side of the screen, right-click and choose New Folder.

The First Folder you Create is C:\ProfilePreference. After this, you can create any folder you intend to Redirect within this Folder, Example : C:\ProfilePreference\Desktop.

When done start rolling out to a Test OU, make sure the creations is successful and all folders are created.

CC – Profile Lock Down – Folder Permissions

The next step is assigning the correct permissions to the Folders. Even though Read-only is Ticked there is still User permissions assigned that allows editing. To Resolve this we need to assign and overwrite our own permissions. What is nice about this is when any user logins the permission are correct for Everyone.

Open Group Policy Object and Create a New Group Policy, Edit the newly created Policy and browse to:
Computer Configuration > Policies > Windows Settings > Security Settings > File System. On the Right-side, Right-Click and choose Add File…

Browse to the newly Created Folder: C:\ProfilePreference and Click OK.
This will open the well know Security Window. Remove all users and groups and assign the Following Three group. Administrators with Full Control. Authenticated Users with only Read Access and Lastly Domain Users with only Read Access.

Once the Permission is set and you click ok you will be presented with the Inheritance screen. To find out what each option means please Read Group Policy Grant Access to Folders. Select the Second option to Replace Permissions.

Once done again apply on the Test OU and make sure the permissions takes affect. If everything is successfull it is time to warn the users.

Advise them of the Block on Saving Locations. Where they will be able to save and that documents will disappear if they don’t move the files to the correct locations. Apply both these Policies to the OU’s you require and let it run for a few days. This is dependant on your Replication Process and users access to the Domain controller pushing the Policies. If you have a lot of Travelling users this might take a while longer to successfully apply to all Computers.

UC – Profile Lock Down – Folder Redirection

The final section to complete this is to set up Folder Redirect. If you have not guessed it yet we are redirecting all User Locations to the newly created Folders.

Desktop Icons

The one thing that you need to take note of is the Desktop Folder is Empty so no desktop icons will display. Only Icons on the Public Desktop (C:\Users\Public\Desktop) will show. This gives you the ability to prevent Desktop Icons from being deleted and make sure that all Users always has the same icons if you control this from a separate GPO. Just be careful to not go too overboard as some users will have custom programs\links they use.

Open Group Policy Object and Create a New Group Policy, Edit the newly created Policy and browse to:

User Configuration > Policies > Windows Settings > Folder Redirection. Below you will see each folder you can Redirect. Simply right-click anyone and choose Properties.

For Settings: Choose Basic – Redirect Everyone’s Folder to the Same Location.
The Target Folder Location on the dropdown choose – Redirects to the following Location and in the root paste the newly created Path.

On the Setting, Tab un-tick all Option and with Policy Removal choose: Leave the folder in the new location when policy is removed.

Test the Policy on a Test OU and if successful and the necessary results are achieved you can Roll out as per your Preferences.

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *