Disable saving any files in workstation.

A Former User

@sreekumarpg said:

@thecreativeone91 , They are saving their works on shared folder.

Does each user not have their own Network folder or is everyone saving to the same location? if each is unique (ex: \fs-01\users$%username%) you can redirect the desktop and documents location so they will be saving under their network folder. That would be the simplest way to stop people from saving locally. You can also enable Quota's in Windows File server management to prevent them from wasting space.

sreekumarpg

Thanks all for the valid answers..

I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

Thanks !!

Ambarishrh

Test it and let us know how it goes please

Dashrender

@sreekumarpg said:

Thanks all for the valid answers..

I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

Thanks !!

Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

thanksajdotcom

DeepFreeze is a great solution in this case, or you can go to something like thin clients or VDI. That seems to be your two options at this point.

thanksajdotcom

@Dashrender said:

@sreekumarpg said:

Thanks all for the valid answers..

I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

Thanks !!

Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.

A Former User

@thanksaj said:

something like thin clients or VDI.

That would be the MOST expensive way to solve this problem.

thanksajdotcom

@thecreativeone91 said:

@thanksaj said:

something like thin clients or VDI.

That would be the MOST expensive way to solve this problem.

Agreed. However, it seems to me that if, in his organization, that folder redirection won't do it and if by some chance he can't use DeepFreeze, what other choice does he have? The way he wants to approach it is going to cause all kinds of issues, IMO.

doyle.jack

At a hospital I used to work for we had done something similar. We both hid and restricted access to the drive in Explorer through Group Policy. The users' desktops, favorites and documents folders were all redirected to network locations.

All that being said, it is a lot of work to make something like this functional. Lots of testing. Users still had to have access to create files in certain locations on the local drive, they just didn't know they were doing it and couldn't really do it intentionally.

The key takeaway here is to do lots and lots of testing. It took us quite a while to work out every little kink so that every user in every department with every different job role could do whatever they needed to without trouble and on any computer.

Edit: In case I forgot to mention it, you would have to test this a LOT! While you don't want the users to save information to the local drive, applications often do need to and you'll want to ensure that they can in order to function properly. All that being said, if and once you get something like this in place and worked out, and done right, any user will be able to walk up to any computer, log on, and do the same work that they would be able to do on any other computer in the place. And if anything goes wrong, you simply pull the computer, put in a different one and off to the races they go. You then repair the computer you pulled and give it to the next random person that needs one. It is quite awesome and reduces help desk calls enormously.

Edit 2: Did I mention that you have to test this a lot?

doyle.jack

@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...

Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.

A Former User

@doyle.jack said:

@thecreativeone91 said:
...if each is unique (ex: \fs-01\users$%username%) you can redirect...

Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.

The back slash is there it's just not showing in the text only the edit view for some odd reason.
\fs-01\users$ \ %username% was what it was (minus the space)
hiding the user share along with enabling access based enumeration is still pretty common practice for the users root share. The less the users can find/stumble upon the better.

sreekumarpg

Hi all,

As per the valid suggestion from all of you ,I locked down the Desktop and My Documents folders by redirecting those folders (via GPO) to a read only share and restrict the access to C & D Drive(via GPO). Now user can't save anything on desktops,My documents and in any drive, they can save only there works in their own shared drive.

Note : This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics.

The reason for restrict the desktop saving is that ,we are sharing a single user account for multiple users in a systems . We are having some client settings which is bonded to the user name and system . We are having shifts for that job and they are doing different jobs. The management wants others not to see the confidential data during one shift.Most of the time the users forgot to delete the data which is against the rule.

Their requirement was users can able to save data in desktop which should be temporary and it need to be deleted after shutdown. Also users are not allowed to save any data in any drive.

Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users. Finally I have tested the folder redirection with read-only access and restrict drive access which partially satisfy their requirement.

Thanks for all the comments and support.

Am testing this test a LOT!

Dashrender

@sreekumarpg said:

Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users.

Sounds like a perfect reason to USE a third party clean solution.

Let us know how your testing goes.

Dashrender

@thanksaj said:

@Dashrender said:

@sreekumarpg said:

Thanks all for the valid answers..

I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

Thanks !!

Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.

Just to make sure anyone wasn't confused by my post. My intention wasn't to say that the redirection for all users would go to the same folder. Everyone would get a subfolder of the root share just like normal, but everyone would be granted full permissions which is definitely not something that's normal. So there shouldn't be an inherent problems with this, but of course users would mess with each other pretty badly if they wanted.