Disable saving any files in workstation.
-
And may be enable folder redirection, if they want to save something, goes straight to your network drive? https://4sysops.com/archives/folder-redirection-part-1-introduction/
-
@Ambarishrh said:
d may be enable folder redirection, if they want to save something, goes straight to your network drive?
Yes i checked that too, as redirect the folder to server and allow read only permission . but more storage space is required.
We already have a DFS in place for storing their files.
I think Mandatory profile will be a good option but how we can do through GPO, as we have more than 100 computers requirement
-
@sreekumarpg said:
Yes i checked that too, as redirect the folder to server and allow read only permissionWait so how do they save their work at all?
-
@sreekumarpg said:
I think Mandatory profile will be a good option but how we can do through GPO, as we have more than 100 computers requirement
a Mandatory profile is a roaming user profile and tends to cause more issues than it fixes.
-
-
@thecreativeone91 , They are saving their works on shared folder.
-
@sreekumarpg said:
@thecreativeone91 , They are saving their works on shared folder.
Does each user not have their own Network folder or is everyone saving to the same location? if each is unique (ex: \fs-01\users$%username%) you can redirect the desktop and documents location so they will be saving under their network folder. That would be the simplest way to stop people from saving locally. You can also enable Quota's in Windows File server management to prevent them from wasting space.
-
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
-
Test it and let us know how it goes please
-
@sreekumarpg said:
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.
If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.
-
DeepFreeze is a great solution in this case, or you can go to something like thin clients or VDI. That seems to be your two options at this point.
-
@Dashrender said:
@sreekumarpg said:
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.
If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.
This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.
-
@thanksaj said:
something like thin clients or VDI.
That would be the MOST expensive way to solve this problem.
-
@thecreativeone91 said:
@thanksaj said:
something like thin clients or VDI.
That would be the MOST expensive way to solve this problem.
Agreed. However, it seems to me that if, in his organization, that folder redirection won't do it and if by some chance he can't use DeepFreeze, what other choice does he have? The way he wants to approach it is going to cause all kinds of issues, IMO.
-
At a hospital I used to work for we had done something similar. We both hid and restricted access to the
drive in Explorer through Group Policy. The users' desktops, favorites and documents folders were all redirected to network locations.All that being said, it is a lot of work to make something like this functional. Lots of testing. Users still had to have access to create files in certain locations on the local drive, they just didn't know they were doing it and couldn't really do it intentionally.
The key takeaway here is to do lots and lots of testing. It took us quite a while to work out every little kink so that every user in every department with every different job role could do whatever they needed to without trouble and on any computer.
Edit: In case I forgot to mention it, you would have to test this a LOT! While you don't want the users to save information to the local drive, applications often do need to and you'll want to ensure that they can in order to function properly. All that being said, if and once you get something like this in place and worked out, and done right, any user will be able to walk up to any computer, log on, and do the same work that they would be able to do on any other computer in the place. And if anything goes wrong, you simply pull the computer, put in a different one and off to the races they go. You then repair the computer you pulled and give it to the next random person that needs one. It is quite awesome and reduces help desk calls enormously.
Edit 2: Did I mention that you have to test this a lot?
-
@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.
-
@doyle.jack said:
@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.
The back slash is there it's just not showing in the text only the edit view for some odd reason.
\fs-01\users$ \ %username% was what it was (minus the space)
hiding the user share along with enabling access based enumeration is still pretty common practice for the users root share. The less the users can find/stumble upon the better. -
Hi all,
As per the valid suggestion from all of you ,I locked down the Desktop and My Documents folders by redirecting those folders (via GPO) to a read only share and restrict the access to C & D Drive(via GPO). Now user can't save anything on desktops,My documents and in any drive, they can save only there works in their own shared drive.
Note : This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics.
The reason for restrict the desktop saving is that ,we are sharing a single user account for multiple users in a systems . We are having some client settings which is bonded to the user name and system . We are having shifts for that job and they are doing different jobs. The management wants others not to see the confidential data during one shift.Most of the time the users forgot to delete the data which is against the rule.
Their requirement was users can able to save data in desktop which should be temporary and it need to be deleted after shutdown. Also users are not allowed to save any data in any drive.
Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users. Finally I have tested the folder redirection with read-only access and restrict drive access which partially satisfy their requirement.
Thanks for all the comments and support.
Am testing this test a LOT!
-
@sreekumarpg said:
Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users.
Sounds like a perfect reason to USE a third party clean solution.
Let us know how your testing goes.
-
@thanksaj said:
@Dashrender said:
@sreekumarpg said:
Thanks all for the valid answers..
I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.
Thanks !!
Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.
If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.
This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.
Just to make sure anyone wasn't confused by my post. My intention wasn't to say that the redirection for all users would go to the same folder. Everyone would get a subfolder of the root share just like normal, but everyone would be granted full permissions which is definitely not something that's normal. So there shouldn't be an inherent problems with this, but of course users would mess with each other pretty badly if they wanted.
