We have all had problems with users saving files where we don’t want them. Like saving files to their desktop on a laptop, or saving files to the local my document folder. Today, I found the solution!
I have created a script
Save as a .BAT file
if %username%==administratorn goto END
Icacls c:\Users\%username%\Desktop /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Downloads /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\music /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Pictures /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Videos /deny %username%:(WD,AD,DC)
Icacls c:\Users\%username%\Documents /deny %username%:(WD,AD,DC)Echo Security applied
Exit
:END
Then save the script into the NETLOGON folder on your DC.
Create a GPO that just has this (or other settings needed) then apply it to an OU. For safety, make sure that it doesn’t apply to DomainAdministrators
Now your users will be unable to save files to their desktop, documents, pictures ECT ECT. Meaning when these laptops get stolen, no data goes with them 🙂
« Allowing the use of saved credentials – Terminal server 2008 Look up Task Schedule results »
Hi,
I tired using your script but it was not working from GPO, but it was working if i run it manually.
so if you implemented it using user GPO let me know if it was working on Windows 7 machines.
Prashant, I do have it working correctly from GPO on these machines. Its been a while since i looked at it, but it was working as expected when i last looked.