We have all had problems with users saving files where we don’t want them. Like saving files to their desktop on a laptop, or saving files to the local my document folder. Today, I found the solution!


I have created a script

Save as a .BAT file

if %username%==administratorn goto END

Icacls c:\Users\%username%\Desktop /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Downloads /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\music /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Pictures /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Videos /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Documents /deny %username%:(WD,AD,DC)

Echo Security applied



Then save the script into the NETLOGON folder on your DC.
Create a GPO that just has this (or other settings needed) then apply it to an OU. For safety, make sure that it doesn’t apply to DomainAdministrators

Now your users will be unable to save files to their desktop, documents, pictures ECT ECT. Meaning when these laptops get stolen, no data goes with them 🙂


« »