Disable saving any files in workstation.
-
@sreekumarpg said:
@scottalanmiller said:
DeepFreeze
Thanks for the quick reply , any options with windows and GPO, other than third party solutions.
It's possible using NTFS permissiosn with Group Policy.. In theory that is. In Practice it just won't work. Users need to be able to write to locations to use the computer even if they aren't "saving files"
-
Does this KB help?
-
Are you wanting them to save to a network file server? Why not just use folder redirection for Documents and the Desktop? (Please don't even try roaming profiles though, I just mean folder redirection).
-
And may be enable folder redirection, if they want to save something, goes straight to your network drive? https://4sysops.com/archives/folder-redirection-part-1-introduction/
-
@Ambarishrh said:
d may be enable folder redirection, if they want to save something, goes straight to your network drive?
Yes i checked that too, as redirect the folder to server and allow read only permission . but more storage space is required.
We already have a DFS in place for storing their files.
I think Mandatory profile will be a good option but how we can do through GPO, as we have more than 100 computers requirement
-
@sreekumarpg said:
Yes i checked that too, as redirect the folder to server and allow read only permissionWait so how do they save their work at all?
-
@sreekumarpg said:
I think Mandatory profile will be a good option but how we can do through GPO, as we have more than 100 computers requirement
a Mandatory profile is a roaming user profile and tends to cause more issues than it fixes.
-
-
@thecreativeone91 , They are saving their works on shared folder.
-
@sreekumarpg said:
@thecreativeone91 , They are saving their works on shared folder.
Does each user not have their own Network folder or is everyone saving to the same location? if each is unique (ex: \fs-01\users$%username%) you can redirect the desktop and documents location so they will be saving under their network folder. That would be the simplest way to stop people from saving locally. You can also enable Quota's in Windows File server management to prevent them from wasting space.
-
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
-
Test it and let us know how it goes please
-
@sreekumarpg said:
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.
If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.
-
DeepFreeze is a great solution in this case, or you can go to something like thin clients or VDI. That seems to be your two options at this point.
-
@Dashrender said:
@sreekumarpg said:
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.
If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.
This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.
-
@thanksaj said:
something like thin clients or VDI.
That would be the MOST expensive way to solve this problem.
-
@thecreativeone91 said:
@thanksaj said:
something like thin clients or VDI.
That would be the MOST expensive way to solve this problem.
Agreed. However, it seems to me that if, in his organization, that folder redirection won't do it and if by some chance he can't use DeepFreeze, what other choice does he have? The way he wants to approach it is going to cause all kinds of issues, IMO.
-
At a hospital I used to work for we had done something similar. We both hid and restricted access to the
drive in Explorer through Group Policy. The users' desktops, favorites and documents folders were all redirected to network locations.All that being said, it is a lot of work to make something like this functional. Lots of testing. Users still had to have access to create files in certain locations on the local drive, they just didn't know they were doing it and couldn't really do it intentionally.
The key takeaway here is to do lots and lots of testing. It took us quite a while to work out every little kink so that every user in every department with every different job role could do whatever they needed to without trouble and on any computer.
Edit: In case I forgot to mention it, you would have to test this a LOT! While you don't want the users to save information to the local drive, applications often do need to and you'll want to ensure that they can in order to function properly. All that being said, if and once you get something like this in place and worked out, and done right, any user will be able to walk up to any computer, log on, and do the same work that they would be able to do on any other computer in the place. And if anything goes wrong, you simply pull the computer, put in a different one and off to the races they go. You then repair the computer you pulled and give it to the next random person that needs one. It is quite awesome and reduces help desk calls enormously.
Edit 2: Did I mention that you have to test this a lot?
-
@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.
-
@doyle.jack said:
@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.
The back slash is there it's just not showing in the text only the edit view for some odd reason.
\fs-01\users$ \ %username% was what it was (minus the space)
hiding the user share along with enabling access based enumeration is still pretty common practice for the users root share. The less the users can find/stumble upon the better.
