Desktop (read-only)

[Chris]

Community,

I have a terminal server, each uses the Default User to create their
standard profile locally. Once the user is created, I move custom icons to
their desktop as they are needed.

A TS shared profile will not work in this scenario, since desktop's may be
different.

I want to make the Desktop read-only, so they cannot use the context-menu to
create new documents or save any material to their desktop. Forcing all
saving to done to the network share.

Termianl Server is a member server, using GP Loopback with replace to keep
their settings unique for desktop/TS.

I have tried to implement a login script at the GPO level for this group
that revokes the permissions and sets it to read-only. No luck.


subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
/revoke=DOMAIN\%username%
subinacl.exe /subdirectories "%userprofile%\Desktop"
/grant=DOMAIN\%username%=R
subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
/grant=DOMAIN\%username%=R
pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
/revoke=SCOTIANGOLD\%username%
subinacl.exe /subdirectories "%userprofile%\Desktop"
/grant=SCOTIANGOLD\%username%=R
subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
/grant=SCOTIANGOLD\%username%=R


Any suggestions?

 

[Jeff Pitsch]

Re: Desktop (read-only)

You could redirect the start menu's and then assign your own
permissions. That's how I've done it in the past. You can also disable
the context menu completely through Group Policy.

Jeff Pitsch
Microsoft MVP - Terminal Services

Chris wrote:
> Community,
>
> I have a terminal server, each uses the Default User to create their
> standard profile locally. Once the user is created, I move custom icons to
> their desktop as they are needed.
>
> A TS shared profile will not work in this scenario, since desktop's may be
> different.
>
> I want to make the Desktop read-only, so they cannot use the context-menu to
> create new documents or save any material to their desktop. Forcing all
> saving to done to the network share.
>
> Termianl Server is a member server, using GP Loopback with replace to keep
> their settings unique for desktop/TS.
>
> I have tried to implement a login script at the GPO level for this group
> that revokes the permissions and sets it to read-only. No luck.
>
>
> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
> /revoke=DOMAIN\%username%
> subinacl.exe /subdirectories "%userprofile%\Desktop"
> /grant=DOMAIN\%username%=R
> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
> /grant=DOMAIN\%username%=R
> pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
> /revoke=SCOTIANGOLD\%username%
> subinacl.exe /subdirectories "%userprofile%\Desktop"
> /grant=SCOTIANGOLD\%username%=R
> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"
> /grant=SCOTIANGOLD\%username%=R
>
>
> Any suggestions?