prevent users from saving to local profile

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am using document, desktop, application, start menu redirection. for all
users however the user can still navigate to
their own profile under the local machine

c:\Documents and Settings\Username and save stuff there.

what do I have to do to restrict them from writing to this profile?

I really dont want them to create any local profile on the local machine as
these are lab machines and dont want them to be
cluttered with stuff.
8 answers Last reply
More about prevent users saving local profile
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "tony" wrote:
    > I am using document, desktop, application, start menu
    > redirection. for all
    > users however the user can still navigate to
    > their own profile under the local machine
    >
    > c:Documents and SettingsUsername and save stuff there.
    >
    > what do I have to do to restrict them from writing to this
    > profile?
    >
    > I really dont want them to create any local profile on the
    > local machine as
    > these are lab machines and dont want them to be
    > cluttered with stuff.

    Hi,

    First of all, Hide Drives in My Computer Group Policy will stop the
    navigation. There is no way to prevent the profile downloading as the
    OS is built that way. There are, however, ways to have the profile
    deleted on logoff. It works "most" of the time so I also have a
    startup script that cleans out everything in the C:\Documents and
    Settings except the Default and All Users.

    1> Group Policy done on COMPUTER OU (not at the Domain GP).
    Computer Config- Windows Settings - Security Settings - Local Policies
    - Security Options - "Interactive Logon: Number of previous logons to
    cache = 0

    2> This setting can be done on Domain GP.
    Computer Config - Admin Templates - System - User Profiles - "Delete
    cached copies of roaming profiles" = Enabled.

    Batch file I use as a startup script on my Computers (In group policy)


    <start script>

    @echo off
    pushd "C:\Documents and Settings"

    set Exempt=*Administrator* *All Users* *Default User* *LocalService*
    *NetworkService*
    for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
    rmdir /s /q "%%a"
    popd

    <end script>

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1216580
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    what kind of script format? .bat? I tried running it and gives me syntax is
    incorrect
    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
    > "tony" wrote:
    > > I am using document, desktop, application, start menu
    > > redirection. for all
    > > users however the user can still navigate to
    > > their own profile under the local machine
    > >
    > > c:Documents and SettingsUsername and save stuff there.
    > >
    > > what do I have to do to restrict them from writing to this
    > > profile?
    > >
    > > I really dont want them to create any local profile on the
    > > local machine as
    > > these are lab machines and dont want them to be
    > > cluttered with stuff.
    >
    > Hi,
    >
    > First of all, Hide Drives in My Computer Group Policy will stop the
    > navigation. There is no way to prevent the profile downloading as the
    > OS is built that way. There are, however, ways to have the profile
    > deleted on logoff. It works "most" of the time so I also have a
    > startup script that cleans out everything in the C:\Documents and
    > Settings except the Default and All Users.
    >
    > 1> Group Policy done on COMPUTER OU (not at the Domain GP).
    > Computer Config- Windows Settings - Security Settings - Local Policies
    > - Security Options - "Interactive Logon: Number of previous logons to
    > cache = 0
    >
    > 2> This setting can be done on Domain GP.
    > Computer Config - Admin Templates - System - User Profiles - "Delete
    > cached copies of roaming profiles" = Enabled.
    >
    > Batch file I use as a startup script on my Computers (In group policy)
    >
    >
    > <start script>
    >
    > @echo off
    > pushd "C:\Documents and Settings"
    >
    > set Exempt=*Administrator* *All Users* *Default User* *LocalService*
    > *NetworkService*
    > for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
    > rmdir /s /q "%%a"
    > popd
    >
    > <end script>
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1216580
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "tony" wrote:
    > what kind of script format? .bat? I tried running it and gives
    > me syntax is
    > incorrect
    > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    > news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
    > > "tony" wrote:
    >  > > I am using document, desktop, application, start
    > menu
    >  > > redirection. for all
    >  > > users however the user can still navigate to
    >  > > their own profile under the local machine
    >  > >
    >  > > c:Documents and SettingsUsername and save stuff
    > there.
    >  > >
    >  > > what do I have to do to restrict them from writing
    > to this
    >  > > profile?
    >  > >
    >  > > I really dont want them to create any local profile
    > on the
    >  > > local machine as
    >  > > these are lab machines and dont want them to be
    >  > > cluttered with stuff.
    > >
    > > Hi,
    > >
    > > First of all, Hide Drives in My Computer Group Policy will
    > stop the
    > > navigation. There is no way to prevent the profile
    > downloading as the
    > > OS is built that way. There are, however, ways to have the
    > profile
    > > deleted on logoff. It works "most" of the time so I also
    > have a
    > > startup script that cleans out everything in the
    > C:Documents and
    > > Settings except the Default and All Users.
    > >
    > > 1> Group Policy done on COMPUTER OU (not at the Domain
    > GP).
    > > Computer Config- Windows Settings - Security Settings -
    > Local Policies
    > > - Security Options - "Interactive Logon: Number of previous
    > logons to
    > > cache = 0
    > >
    > > 2> This setting can be done on Domain GP.
    > > Computer Config - Admin Templates - System - User Profiles -
    > "Delete
    > > cached copies of roaming profiles" = Enabled.
    > >
    > > Batch file I use as a startup script on my Computers (In
    > group policy)
    > >
    > >
    > > <start script>
    > >
    > > @echo off
    > > pushd "C:Documents and Settings"
    > >
    > > set Exempt=*Administrator* *All Users* *Default User*
    > *LocalService*
    > > *NetworkService*
    > > for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" >
    > nul ||
    > > rmdir /s /q "%%a"
    > > popd
    > >
    > > <end script>
    > >
    > > Cheers,
    > >
    > > Lara
    > >
    > > --
    > > Posted using the http://www.windowsforumz.com interface, at author's
    > > request
    > > Articles individually checked for conformance to usenet
    > standards
    > > Topic URL:
    > > http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    > > Visit Topic URL to contact author (reg. req'd). Report
    > abuse:
    > > http://www.windowsforumz.com/eform.php?p=1216580

    Hi,

    Yes it is a batch file. It may be that the line returns you are off.
    The set Exempt is all one line. The Next line starts with "for /d"
    and continues with the rmdir (all on the one line). The last line is
    popd. Total is 5 lines (not including spaces or blank lines).

    <start script>

    @echo off
    pushd "C:\Documents and Settings"

    set Exempt=*Administrator* *All Users* *Default User* *LocalService*
    *NetworkService*
    for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
    rmdir /s /q "%%a"
    popd

    <end script>
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Be aware that "hiding" the drive letter does not "stop navigation", it
    merely stops it displaying inWindows Explorer by default.

    Anyone can still navigate anywhere on the "hidden" drive by:

    1. Start, Run, key c:\ press Enter
    2. open Windows Explorer, key c:\ in the Address bar; press Enter

    --
    Bruce Sanderson MVP Printing
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
    > "tony" wrote:
    > > I am using document, desktop, application, start menu
    > > redirection. for all
    > > users however the user can still navigate to
    > > their own profile under the local machine
    > >
    > > c:Documents and SettingsUsername and save stuff there.
    > >
    > > what do I have to do to restrict them from writing to this
    > > profile?
    > >
    > > I really dont want them to create any local profile on the
    > > local machine as
    > > these are lab machines and dont want them to be
    > > cluttered with stuff.
    >
    > Hi,
    >
    > First of all, Hide Drives in My Computer Group Policy will stop the
    > navigation. There is no way to prevent the profile downloading as the
    > OS is built that way. There are, however, ways to have the profile
    > deleted on logoff. It works "most" of the time so I also have a
    > startup script that cleans out everything in the C:\Documents and
    > Settings except the Default and All Users.
    >
    > 1> Group Policy done on COMPUTER OU (not at the Domain GP).
    > Computer Config- Windows Settings - Security Settings - Local Policies
    > - Security Options - "Interactive Logon: Number of previous logons to
    > cache = 0
    >
    > 2> This setting can be done on Domain GP.
    > Computer Config - Admin Templates - System - User Profiles - "Delete
    > cached copies of roaming profiles" = Enabled.
    >
    > Batch file I use as a startup script on my Computers (In group policy)
    >
    >
    > <start script>
    >
    > @echo off
    > pushd "C:\Documents and Settings"
    >
    > set Exempt=*Administrator* *All Users* *Default User* *LocalService*
    > *NetworkService*
    > for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
    > rmdir /s /q "%%a"
    > popd
    >
    > <end script>
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1216580
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    >Anyone can still navigate anywhere on the "hidden" drive by:
    >
    >1. Start, Run, key c:\ press Enter
    >2. open Windows Explorer, key c:\ in the Address bar; press Enter

    Actually no. When you Hide Drives in My Computer and you put C:\ in
    the address bar it says you are restricted from viewing C:\ Certain
    apps may "open" a folder in drive C:\ but then if they navigate
    away it disappears.

    My users don’t have access to the run command with GP so that is easy
    to do and I haven’t tested it there.

    Cheers,
    Lara
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Well, Lara, please don't take offence, but my experience seems to be
    different from yours or perhaps we are not talking about the same thing.

    Using Loopback Processing, on our Windows 2003 Terminal Servers, we have
    this setting via GPO for all users except Administrators (suppressed for
    Administrators by Security Filtering):

    User Configuration:
    Administrative Templates
    Windows Components
    Windows Explorer
    Hide these specified drives in My Computer: Enabled: Restrict A,
    B, C, D, E and F drives only (uses a custom ADM to get this set)

    I've also used this on Windows XP workstations.

    When a user (other than an Administrator) logs on and opens Windows
    Explorer, none of these drives show inside My Computer - neither in the tree
    view in the left pane, nor the right pane.

    However, if such a user keys c:\ in the Windows Explorer Address Bar and
    presses Enter, the C drive is added to the left pane and the contents show
    in the right pane.

    Now, if the Windows Explorer, Tools, Folder Options, View, there is no check
    mark in "Display the contents of system folders", the user will get the
    message "These files are hidden" in the right pane if the root of the C
    drive or the c:\windows folder is selected. However, the user can still
    view the contents of other folders to which they have been granted at least
    List or Read permission. The "Display the contents of system folders"
    setting can be change by the user at any time.

    There is another setting in the same GPO Administrative Templates Category
    called "Prevent access to drives from My Computer" which may produce the
    behaviour you describe (I haven't experimented with that setting).

    --
    Bruce Sanderson MVP

    It's perfectly useless to know the right answer to the wrong question.


    "lforbes" <DoNotEmail@WindowsForumz.com> wrote in message
    news:3_1223061_5f6544c43f0eeb4b7fde87c678d505ff@windowsforumz.com...
    > >Anyone can still navigate anywhere on the "hidden" drive by:
    >>
    >>1. Start, Run, key c:\ press Enter
    >>2. open Windows Explorer, key c:\ in the Address bar; press Enter
    >
    > Actually no. When you Hide Drives in My Computer and you put C:\ in
    > the address bar it says you are restricted from viewing C:\ Certain
    > apps may "open" a folder in drive C:\ but then if they navigate
    > away it disappears.
    >
    > My users don’t have access to the run command with GP so that is easy
    > to do and I haven’t tested it there.
    >
    > Cheers,
    > Lara
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    >Well, Lara, please don’t take offence, but my experience seems
    >to be different from yours or perhaps we are not talking about the
    >same thing. Using Loopback Processing, on our Windows 2003 Terminal
    >Servers, we have this setting via GPO for all users except
    >Administrators (suppressed for Administrators by Security Filtering.

    Hi Bruce,

    No offence of course. I am not sure why yours doesn’t seem to be
    working properly. However, I use neither Terminal Services, Loopback
    Processing(except for scripts) nor Security Filtering on my GPO’s so
    that may have something to do with it.

    I have 2400 Users. On their Parent OU I have a Group Policy. I also
    modified the system.adm for Hide these specified drives in My
    Computer: Enabled: Restrict C, D, O and R drives only.

    When any of my users logs on and puts in C:\ in My Computer, it says
    ""Access to the resource c:\ has been disallowed"". I just did
    it now to be sure. It also says it for D, O and R.

    I don’t use the "restrict access" GP setting because it doesn’t
    allow the programs to run.

    I am running Windows 2000 SP3 and Windows XP SP2 workstations.

    The only time the computer will show "C:" is if a Program defaults
    to opening a folder on C:\ however, once they navigate away from the
    folder it disappears.

    Maybe it has something to do with Terminal Services. We haven’t ever
    had a problem even back with Windows 2000 before the service packs.
    My users try anything to access files/software they aren’t allowed to
    so I have to be extra careful to test test and test again.

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1227252
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hmm a mystery. When I get a chance, I'll do some more tests on the very
    small domain I have at home to see if I can get to the bottom of this
    difference in behaviour.

    --
    Bruce Sanderson MVP Printing
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1227252_7c423c9fdb726a78605c386e62d777d9@windowsforumz.com...
    > >Well, Lara, please don't take offence, but my experience seems
    >>to be different from yours or perhaps we are not talking about the
    >>same thing. Using Loopback Processing, on our Windows 2003 Terminal
    >>Servers, we have this setting via GPO for all users except
    >>Administrators (suppressed for Administrators by Security Filtering.
    >
    > Hi Bruce,
    >
    > No offence of course. I am not sure why yours doesn't seem to be
    > working properly. However, I use neither Terminal Services, Loopback
    > Processing(except for scripts) nor Security Filtering on my GPO's so
    > that may have something to do with it.
    >
    > I have 2400 Users. On their Parent OU I have a Group Policy. I also
    > modified the system.adm for Hide these specified drives in My
    > Computer: Enabled: Restrict C, D, O and R drives only.
    >
    > When any of my users logs on and puts in C:\ in My Computer, it says
    > ""Access to the resource c:\ has been disallowed"". I just did
    > it now to be sure. It also says it for D, O and R.
    >
    > I don't use the "restrict access" GP setting because it doesn't
    > allow the programs to run.
    >
    > I am running Windows 2000 SP3 and Windows XP SP2 workstations.
    >
    > The only time the computer will show "C:" is if a Program defaults
    > to opening a folder on C:\ however, once they navigate away from the
    > folder it disappears.
    >
    > Maybe it has something to do with Terminal Services. We haven't ever
    > had a problem even back with Windows 2000 before the service packs.
    > My users try anything to access files/software they aren't allowed to
    > so I have to be extra careful to test test and test again.
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1227252
Ask a new question

Read More

Windows