Restrict user from saving on their Desktop, My Documents, My Music, My Videos, My Pictures etc. via GPO
It's very easy if you are using Windows Server 2008.
- Create a Group Policy Object, go to
Computer Configuration
>Policy
>Windows Settings
>Security Settings
>File System
- Right click and add
%userprofile%\Desktop
....etc for the different folders that you want to restrict access to. - Specify the rights for the specified folder(s) for users or user groups.
This is possible with a logon script, but it's a bit tricky, and would require testing to ensure that it works correctly for the target environment. It makes assumptions about the ACE entries in the ACL (system, Administrators, and the user), and that the user is the owner (they typically are). It isn't bullet-proof security, but it can help minimize the casual "save a 2 GB iso file to the roaming profile desktop folder" scenario.
In broad strokes, when a user logs on, at the end of the last logon script, ACL their Desktop and other locations so that they have Read and Execute permission.
In the logOFF script, revert the permissions back to normal.
At the start of the logON script, there should also be a check to reset the permissions to normal in the event that the logoff script failed.
There are a variety of ACL tools to use: icacls, fileacl, setacl.
Determining the correct path can be performed using the following PowerShell syntax:
[Environment]::GetFolderPath("DesktopDirectory")
That should be used to ensure that the operation is performed on the redirected location, and not the local location.
To obtain a list of all the Environment Special Folder locations:
[Environment+SpecialFolder]::GetNames([Environment+SpecialFolder])
That typically returns:
Desktop
Programs
Personal
MyDocuments
Favorites
Startup
Recent
SendTo
StartMenu
MyMusic
DesktopDirectory
MyComputer
Templates
ApplicationData
LocalApplicationData
InternetCache
Cookies
History
CommonApplicationData
System
ProgramFiles
MyPictures
CommonProgramFiles
Note that there are both Desktop and DesktopDirectory special folders.
Here is a sample PowerShell command to use FileAcl set the Desktop folder to Read and Execute for a user:
$user = [System.Environment]::ExpandEnvironmentVariables("%USERDOMAIN%\%USERNAME%")
$exe = "C:\util\FileAcl\FileAcl.exe "
$arg1 = [System.Environment]::GetFolderPath("DesktopDirectory")
$arg2 = "/S"
$arg3 = "`"NT AUTHORITY\SYSTEM`":F"
$arg4 = "/S"
$arg5 = "`"" + $user + "`"" + ":RX"
$arg6 = "/S"
$arg7 = "`"BUILTIN\Administrators`":F"
$arg8 = "/REPLACE"
$arg9 = "/PROTECT"
$allArgs = @($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9)
&$exe $allArgs
To set the folder to Modify permission for the user, arg5 would be:
$arg5 = """ + $user + "
"" + ":RWXD"
Here a solution without the need to modify the permissions.
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} \ PropertyBag
ThisPCPolicy
REG_SZ
Hide
This hides the desktop of the options to save as.
This configuration can be deployed using a GPO.
Source:
http://www.sysadmit.com/2018/03/gpo-impedir-guardar-en-el-escritorio.html
For the rest of the folders it would be:
Documents:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {f42ee2d3-909f-4907-8871-4c22fc0bf756} \ PropertyBag
Pictures:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {0ddd015d-b06c-45d5-8c4c-f59713854639} \ PropertyBag
Videos:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {35286a68-3c57-41a1-bbb1-0eae73d76c95} \ PropertyBag
Downloads:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {7d83ee9b-2244-4e70-b1f5-5393042af1e4} \ PropertyBag
Music Folder:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {a0c69a99-21c8-4671-8703-7934162fcf1d} \ PropertyBag
Desktop Folder:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ FolderDescriptions \ {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} \ PropertyBag