ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Disable saving any files in workstation.

    Scheduled Pinned Locked Moved IT Discussion
    28 Posts 7 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User @sreekumarpg
      last edited by

      @sreekumarpg said:

      @thecreativeone91 , They are saving their works on shared folder.

      Does each user not have their own Network folder or is everyone saving to the same location? if each is unique (ex: \fs-01\users$%username%) you can redirect the desktop and documents location so they will be saving under their network folder. That would be the simplest way to stop people from saving locally. You can also enable Quota's in Windows File server management to prevent them from wasting space.

      D 1 Reply Last reply Reply Quote 0
      • sreekumarpgS
        sreekumarpg
        last edited by

        Thanks all for the valid answers..

        I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

        Thanks !!

        DashrenderD 1 Reply Last reply Reply Quote 0
        • AmbarishrhA
          Ambarishrh
          last edited by

          Test it and let us know how it goes please 🙂

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @sreekumarpg
            last edited by

            @sreekumarpg said:

            Thanks all for the valid answers..

            I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

            Thanks !!

            Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

            If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

            thanksajdotcomT 1 Reply Last reply Reply Quote 2
            • thanksajdotcomT
              thanksajdotcom
              last edited by

              DeepFreeze is a great solution in this case, or you can go to something like thin clients or VDI. That seems to be your two options at this point.

              ? 1 Reply Last reply Reply Quote 0
              • thanksajdotcomT
                thanksajdotcom @Dashrender
                last edited by

                @Dashrender said:

                @sreekumarpg said:

                Thanks all for the valid answers..

                I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

                Thanks !!

                Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

                If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

                This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @thanksajdotcom
                  last edited by

                  @thanksaj said:

                  something like thin clients or VDI.

                  That would be the MOST expensive way to solve this problem.

                  thanksajdotcomT 1 Reply Last reply Reply Quote 0
                  • thanksajdotcomT
                    thanksajdotcom @A Former User
                    last edited by

                    @thecreativeone91 said:

                    @thanksaj said:

                    something like thin clients or VDI.

                    That would be the MOST expensive way to solve this problem.

                    Agreed. However, it seems to me that if, in his organization, that folder redirection won't do it and if by some chance he can't use DeepFreeze, what other choice does he have? The way he wants to approach it is going to cause all kinds of issues, IMO.

                    1 Reply Last reply Reply Quote 0
                    • D
                      doyle.jack
                      last edited by doyle.jack

                      At a hospital I used to work for we had done something similar. We both hid and restricted access to the 😄 drive in Explorer through Group Policy. The users' desktops, favorites and documents folders were all redirected to network locations.

                      All that being said, it is a lot of work to make something like this functional. Lots of testing. Users still had to have access to create files in certain locations on the local drive, they just didn't know they were doing it and couldn't really do it intentionally.

                      The key takeaway here is to do lots and lots of testing. It took us quite a while to work out every little kink so that every user in every department with every different job role could do whatever they needed to without trouble and on any computer.

                      Edit: In case I forgot to mention it, you would have to test this a LOT! While you don't want the users to save information to the local drive, applications often do need to and you'll want to ensure that they can in order to function properly. All that being said, if and once you get something like this in place and worked out, and done right, any user will be able to walk up to any computer, log on, and do the same work that they would be able to do on any other computer in the place. And if anything goes wrong, you simply pull the computer, put in a different one and off to the races they go. You then repair the computer you pulled and give it to the next random person that needs one. It is quite awesome and reduces help desk calls enormously.

                      Edit 2: Did I mention that you have to test this a lot?

                      1 Reply Last reply Reply Quote 1
                      • D
                        doyle.jack @A Former User
                        last edited by

                        @thecreativeone91 said:
                        ...if each is unique (ex: \fs-01\users$%username%) you can redirect...

                        Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.

                        ? 1 Reply Last reply Reply Quote 1
                        • ?
                          A Former User @doyle.jack
                          last edited by

                          @doyle.jack said:

                          @thecreativeone91 said:
                          ...if each is unique (ex: \fs-01\users$%username%) you can redirect...

                          Do people still hide the user home directories share or did you mean to type a backslash where you typed the dollar sign? It's actually been a really long time since I've seen anyone use a hidden share that wasn't one of the automatically generated administrative shares.

                          The back slash is there it's just not showing in the text only the edit view for some odd reason.
                          \fs-01\users$ \ %username% was what it was (minus the space)
                          hiding the user share along with enabling access based enumeration is still pretty common practice for the users root share. The less the users can find/stumble upon the better.

                          1 Reply Last reply Reply Quote 1
                          • sreekumarpgS
                            sreekumarpg
                            last edited by

                            Hi all,

                            As per the valid suggestion from all of you ,I locked down the Desktop and My Documents folders by redirecting those folders (via GPO) to a read only share and restrict the access to C & D Drive(via GPO). Now user can't save anything on desktops,My documents and in any drive, they can save only there works in their own shared drive.

                            Note : This setting does not prevent users from using programs to access local and network drives. It does not prevent them from using the Disk Management snap-in to view and change drive characteristics.

                            1.JPG

                            The reason for restrict the desktop saving is that ,we are sharing a single user account for multiple users in a systems . We are having some client settings which is bonded to the user name and system . We are having shifts for that job and they are doing different jobs. The management wants others not to see the confidential data during one shift.Most of the time the users forgot to delete the data which is against the rule.

                            Their requirement was users can able to save data in desktop which should be temporary and it need to be deleted after shutdown. Also users are not allowed to save any data in any drive.

                            Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users. Finally I have tested the folder redirection with read-only access and restrict drive access which partially satisfy their requirement.

                            Thanks for all the comments and support.

                            Am testing this test a LOT!😄

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @sreekumarpg
                              last edited by

                              @sreekumarpg said:

                              Based on the discussion, its is a know fact that we can't achieve this without a third-party software and communicated. They are not willing to have a third-party software as this requirement is only for a limited users.

                              Sounds like a perfect reason to USE a third party clean solution. 🙂

                              Let us know how your testing goes.

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @thanksajdotcom
                                last edited by

                                @thanksaj said:

                                @Dashrender said:

                                @sreekumarpg said:

                                Thanks all for the valid answers..

                                I planned to redirect the Desktop and my documents to network folder and assign permission as readonly access, so that users cant save any files on desktops. Also Restrict access to c & D drives in my computer, so that they are not able to store files in drive.

                                Thanks !!

                                Wow, I've never heard anyone doing this before. I will be surprised if you don't have issues.

                                If the idea is to ensure that everyone always has access to everything (seems like an overly paranoid request) then you can grant full access (or at least read/write access) to the redirection folder on the server. When setting up the folder redirection in GPO make sure you don't check the box that gives only the user exclusive access.

                                This is going to cause a mountain of issues, I'm warning you. If the issue is that users are saving them on the local desktop and not on a NAS/network drive, use folder redirection, which is easy with GPO. If it's just users saving documents on the local machines period, you need to look at alternative approaches to how you handle your workstations.

                                Just to make sure anyone wasn't confused by my post. My intention wasn't to say that the redirection for all users would go to the same folder. Everyone would get a subfolder of the root share just like normal, but everyone would be granted full permissions which is definitely not something that's normal. So there shouldn't be an inherent problems with this, but of course users would mess with each other pretty badly if they wanted.

                                1 Reply Last reply Reply Quote 0
                                • 1
                                • 2
                                • 1 / 2
                                • First post
                                  Last post