prevent users from saving to local profile

[Tony]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am using document, desktop, application, start menu redirection. for all
users however the user can still navigate to
their own profile under the local machine

c:\Documents and Settings\Username and save stuff there.

what do I have to do to restrict them from writing to this profile?

I really dont want them to create any local profile on the local machine as
these are lab machines and dont want them to be
cluttered with stuff.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"tony" wrote:
> I am using document, desktop, application, start menu
> redirection. for all
> users however the user can still navigate to
> their own profile under the local machine
>
> cocuments and SettingsUsername and save stuff there.
>
> what do I have to do to restrict them from writing to this
> profile?
>
> I really dont want them to create any local profile on the
> local machine as
> these are lab machines and dont want them to be
> cluttered with stuff.

Hi,

First of all, Hide Drives in My Computer Group Policy will stop the
navigation. There is no way to prevent the profile downloading as the
OS is built that way. There are, however, ways to have the profile
deleted on logoff. It works "most" of the time so I also have a
startup script that cleans out everything in the C:\Documents and
Settings except the Default and All Users.

1> Group Policy done on COMPUTER OU (not at the Domain GP).
Computer Config- Windows Settings - Security Settings - Local Policies
- Security Options - "Interactive Logon: Number of previous logons to
cache = 0

2> This setting can be done on Domain GP.
Computer Config - Admin Templates - System - User Profiles - "Delete
cached copies of roaming profiles" = Enabled.

Batch file I use as a startup script on my Computers (In group policy)


<start script>

@echo off
pushd "C:\Documents and Settings"

set Exempt=*Administrator* *All Users* *Default User* *LocalService*
*NetworkService*
for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
rmdir /s /q "%%a"
popd

<end script>

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1216580

 

[Tony]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

what kind of script format? .bat? I tried running it and gives me syntax is
incorrect
"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
> "tony" wrote:
> > I am using document, desktop, application, start menu
> > redirection. for all
> > users however the user can still navigate to
> > their own profile under the local machine
> >
> > cocuments and SettingsUsername and save stuff there.
> >
> > what do I have to do to restrict them from writing to this
> > profile?
> >
> > I really dont want them to create any local profile on the
> > local machine as
> > these are lab machines and dont want them to be
> > cluttered with stuff.
>
> Hi,
>
> First of all, Hide Drives in My Computer Group Policy will stop the
> navigation. There is no way to prevent the profile downloading as the
> OS is built that way. There are, however, ways to have the profile
> deleted on logoff. It works "most" of the time so I also have a
> startup script that cleans out everything in the C:\Documents and
> Settings except the Default and All Users.
>
> 1> Group Policy done on COMPUTER OU (not at the Domain GP).
> Computer Config- Windows Settings - Security Settings - Local Policies
> - Security Options - "Interactive Logon: Number of previous logons to
> cache = 0
>
> 2> This setting can be done on Domain GP.
> Computer Config - Admin Templates - System - User Profiles - "Delete
> cached copies of roaming profiles" = Enabled.
>
> Batch file I use as a startup script on my Computers (In group policy)
>
>
> <start script>
>
> @echo off
> pushd "C:\Documents and Settings"
>
> set Exempt=*Administrator* *All Users* *Default User* *LocalService*
> *NetworkService*
> for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
> rmdir /s /q "%%a"
> popd
>
> <end script>
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1216580

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"tony" wrote:
> what kind of script format? .bat? I tried running it and gives
> me syntax is
> incorrect
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
> > "tony" wrote:
>  > > I am using document, desktop, application, start
> menu
>  > > redirection. for all
>  > > users however the user can still navigate to
>  > > their own profile under the local machine
>  > >
>  > > cocuments and SettingsUsername and save stuff
> there.
>  > >
>  > > what do I have to do to restrict them from writing
> to this
>  > > profile?
>  > >
>  > > I really dont want them to create any local profile
> on the
>  > > local machine as
>  > > these are lab machines and dont want them to be
>  > > cluttered with stuff.
> >
> > Hi,
> >
> > First of all, Hide Drives in My Computer Group Policy will
> stop the
> > navigation. There is no way to prevent the profile
> downloading as the
> > OS is built that way. There are, however, ways to have the
> profile
> > deleted on logoff. It works "most" of the time so I also
> have a
> > startup script that cleans out everything in the
> Cocuments and
> > Settings except the Default and All Users.
> >
> > 1> Group Policy done on COMPUTER OU (not at the Domain
> GP).
> > Computer Config- Windows Settings - Security Settings -
> Local Policies
> > - Security Options - "Interactive Logon: Number of previous
> logons to
> > cache = 0
> >
> > 2> This setting can be done on Domain GP.
> > Computer Config - Admin Templates - System - User Profiles -
> "Delete
> > cached copies of roaming profiles" = Enabled.
> >
> > Batch file I use as a startup script on my Computers (In
> group policy)
> >
> >
> > <start script>
> >
> > @echo off
> > pushd "Cocuments and Settings"
> >
> > set Exempt=*Administrator* *All Users* *Default User*
> *LocalService*
> > *NetworkService*
> > for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" >
> nul ||
> > rmdir /s /q "%%a"
> > popd
> >
> > <end script>
> >
> > Cheers,
> >
> > Lara
> >
> > --
> > Posted using the http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> > http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> > http://www.windowsforumz.com/eform.php?p=1216580

Hi,

Yes it is a batch file. It may be that the line returns you are off.
The set Exempt is all one line. The Next line starts with "for /d"
and continues with the rmdir (all on the one line). The last line is
popd. Total is 5 lines (not including spaces or blank lines).

<start script>

@echo off
pushd "C:\Documents and Settings"

set Exempt=*Administrator* *All Users* *Default User* *LocalService*
*NetworkService*
for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
rmdir /s /q "%%a"
popd

<end script>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Be aware that "hiding" the drive letter does not "stop navigation", it
merely stops it displaying inWindows Explorer by default.

Anyone can still navigate anywhere on the "hidden" drive by:

1. Start, Run, key c:\ press Enter
2. open Windows Explorer, key c:\ in the Address bar; press Enter

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1216580_e2c7192f0a9a086f6b92a22d4454b081@windowsforumz.com...
> "tony" wrote:
> > I am using document, desktop, application, start menu
> > redirection. for all
> > users however the user can still navigate to
> > their own profile under the local machine
> >
> > cocuments and SettingsUsername and save stuff there.
> >
> > what do I have to do to restrict them from writing to this
> > profile?
> >
> > I really dont want them to create any local profile on the
> > local machine as
> > these are lab machines and dont want them to be
> > cluttered with stuff.
>
> Hi,
>
> First of all, Hide Drives in My Computer Group Policy will stop the
> navigation. There is no way to prevent the profile downloading as the
> OS is built that way. There are, however, ways to have the profile
> deleted on logoff. It works "most" of the time so I also have a
> startup script that cleans out everything in the C:\Documents and
> Settings except the Default and All Users.
>
> 1> Group Policy done on COMPUTER OU (not at the Domain GP).
> Computer Config- Windows Settings - Security Settings - Local Policies
> - Security Options - "Interactive Logon: Number of previous logons to
> cache = 0
>
> 2> This setting can be done on Domain GP.
> Computer Config - Admin Templates - System - User Profiles - "Delete
> cached copies of roaming profiles" = Enabled.
>
> Batch file I use as a startup script on my Computers (In group policy)
>
>
> <start script>
>
> @echo off
> pushd "C:\Documents and Settings"
>
> set Exempt=*Administrator* *All Users* *Default User* *LocalService*
> *NetworkService*
> for /d %%a in (*.*) do echo %Exempt% | find /i "*%%a*" > nul ||
> rmdir /s /q "%%a"
> popd
>
> <end script>
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1216580

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

>Anyone can still navigate anywhere on the "hidden" drive by:
>
>1. Start, Run, key c:\ press Enter
>2. open Windows Explorer, key c:\ in the Address bar; press Enter

Actually no. When you Hide Drives in My Computer and you put C:\ in
the address bar it says you are restricted from viewing C:\ Certain
apps may "open" a folder in drive C:\ but then if they navigate
away it disappears.

My users don’t have access to the run command with GP so that is easy
to do and I haven’t tested it there.

Cheers,
Lara

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well, Lara, please don't take offence, but my experience seems to be
different from yours or perhaps we are not talking about the same thing.

Using Loopback Processing, on our Windows 2003 Terminal Servers, we have
this setting via GPO for all users except Administrators (suppressed for
Administrators by Security Filtering):

User Configuration:
Administrative Templates
Windows Components
Windows Explorer
Hide these specified drives in My Computer: Enabled: Restrict A,
B, C, D, E and F drives only (uses a custom ADM to get this set)

I've also used this on Windows XP workstations.

When a user (other than an Administrator) logs on and opens Windows
Explorer, none of these drives show inside My Computer - neither in the tree
view in the left pane, nor the right pane.

However, if such a user keys c:\ in the Windows Explorer Address Bar and
presses Enter, the C drive is added to the left pane and the contents show
in the right pane.

Now, if the Windows Explorer, Tools, Folder Options, View, there is no check
mark in "Display the contents of system folders", the user will get the
message "These files are hidden" in the right pane if the root of the C
drive or the c:\windows folder is selected. However, the user can still
view the contents of other folders to which they have been granted at least
List or Read permission. The "Display the contents of system folders"
setting can be change by the user at any time.

There is another setting in the same GPO Administrative Templates Category
called "Prevent access to drives from My Computer" which may produce the
behaviour you describe (I haven't experimented with that setting).

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"lforbes" <DoNotEmail@WindowsForumz.com> wrote in message
news:3_1223061_5f6544c43f0eeb4b7fde87c678d505ff@windowsforumz.com...
> >Anyone can still navigate anywhere on the "hidden" drive by:
>>
>>1. Start, Run, key c:\ press Enter
>>2. open Windows Explorer, key c:\ in the Address bar; press Enter
>
> Actually no. When you Hide Drives in My Computer and you put C:\ in
> the address bar it says you are restricted from viewing C:\ Certain
> apps may "open" a folder in drive C:\ but then if they navigate
> away it disappears.
>
> My users don’t have access to the run command with GP so that is easy
> to do and I haven’t tested it there.
>
> Cheers,
> Lara

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

>Well, Lara, please don’t take offence, but my experience seems
>to be different from yours or perhaps we are not talking about the
>same thing. Using Loopback Processing, on our Windows 2003 Terminal
>Servers, we have this setting via GPO for all users except
>Administrators (suppressed for Administrators by Security Filtering.

Hi Bruce,

No offence of course. I am not sure why yours doesn’t seem to be
working properly. However, I use neither Terminal Services, Loopback
Processing(except for scripts) nor Security Filtering on my GPO’s so
that may have something to do with it.

I have 2400 Users. On their Parent OU I have a Group Policy. I also
modified the system.adm for Hide these specified drives in My
Computer: Enabled: Restrict C, D, O and R drives only.

When any of my users logs on and puts in C:\ in My Computer, it says
""Access to the resource c:\ has been disallowed"". I just did
it now to be sure. It also says it for D, O and R.

I don’t use the "restrict access" GP setting because it doesn’t
allow the programs to run.

I am running Windows 2000 SP3 and Windows XP SP2 workstations.

The only time the computer will show "C:" is if a Program defaults
to opening a folder on C:\ however, once they navigate away from the
folder it disappears.

Maybe it has something to do with Terminal Services. We haven’t ever
had a problem even back with Windows 2000 before the service packs.
My users try anything to access files/software they aren’t allowed to
so I have to be extra careful to test test and test again.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1227252

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hmm a mystery. When I get a chance, I'll do some more tests on the very
small domain I have at home to see if I can get to the bottom of this
difference in behaviour.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1227252_7c423c9fdb726a78605c386e62d777d9@windowsforumz.com...
> >Well, Lara, please don't take offence, but my experience seems
>>to be different from yours or perhaps we are not talking about the
>>same thing. Using Loopback Processing, on our Windows 2003 Terminal
>>Servers, we have this setting via GPO for all users except
>>Administrators (suppressed for Administrators by Security Filtering.
>
> Hi Bruce,
>
> No offence of course. I am not sure why yours doesn't seem to be
> working properly. However, I use neither Terminal Services, Loopback
> Processing(except for scripts) nor Security Filtering on my GPO's so
> that may have something to do with it.
>
> I have 2400 Users. On their Parent OU I have a Group Policy. I also
> modified the system.adm for Hide these specified drives in My
> Computer: Enabled: Restrict C, D, O and R drives only.
>
> When any of my users logs on and puts in C:\ in My Computer, it says
> ""Access to the resource c:\ has been disallowed"". I just did
> it now to be sure. It also says it for D, O and R.
>
> I don't use the "restrict access" GP setting because it doesn't
> allow the programs to run.
>
> I am running Windows 2000 SP3 and Windows XP SP2 workstations.
>
> The only time the computer will show "C:" is if a Program defaults
> to opening a folder on C:\ however, once they navigate away from the
> folder it disappears.
>
> Maybe it has something to do with Terminal Services. We haven't ever
> had a problem even back with Windows 2000 before the service packs.
> My users try anything to access files/software they aren't allowed to
> so I have to be extra careful to test test and test again.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-prevent-users-saving-local-profile-ftopict374438.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1227252