+ Post New Thread
Results 1 to 15 of 15
Windows Server 2008 R2 Thread, Desktop Redirect: Students able to save on desktop despite permissions in Technical; Hi, This is driving me nuts!! I've enabled folder redirection in group policy and student desktops are directed to the ...
  1. #1
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23

    Desktop Redirect: Students able to save on desktop despite permissions

    Hi,

    This is driving me nuts!!

    I've enabled folder redirection in group policy and student desktops are directed to the desktop folder in the roaming student profile, so far so good. But students are able to save docs to the desktop despite them only having read NTFS and share permissions in the profile folder. I've also made sure that 'grant exclusive rights' isn't selected under the redirection options. So they shouldn't be able to save files or folders the the roaming desktop yet they can.

    Does anyone have any ideas? Students have now discovered the hilarity of right clicking and creating hundreds of new docs on the desktop.

    Thanks all

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,947
    Thank Post
    886
    Thanked 1,697 Times in 1,475 Posts
    Blog Entries
    12
    Rep Power
    447
    We found this. I use this VBS script as a login script to stop it.

    Code:
    '*================================================================== 
    '* Titel         : DenyWrite.vbs 
    '* Purpose         : Do Not allow users to save stuff on the desktop 
    '* Author         : Kimmo Jernstrom 
    '* Last Modified : 2005-05-21 
    '*================================================================== 
    Option Explicit 
    DenyWrite GetSpecialFolderDesktop(),GetUserSAM() 
     
     
    '*================================================================== 
    '* Name            : GetSpecialFolderDesktop 
    '* In           : - 
    '* Out          : Path to Desktop 
    '* Purpose        :  
    '* Comment        :  
    '*================================================================== 
    Function GetSpecialFolderDesktop() 
        On Error Resume Next 
        Const DESKTOP = &H10& 
        Dim oShell, oFolder, oFolderItem 
        Set oShell         = CreateObject("Shell.Application") 
        Set oFolder     = oShell.Namespace(DESKTOP) 
        Set oFolderItem = oFolder.Self 
        If Err <> 0 Then 
            GetSpecialFolderDesktop = "N/A" 
        Else 
            GetSpecialFolderDesktop = Trim(oFolderItem.Path) 
        End If 
        'Kill objects 
        Set oFolderIten = Nothing 
        Set oFolder        = Nothing 
        Set oShell        = Nothing 
    End Function 
     
    '*================================================================== 
    '* Name            : GetUserSAM 
    '* In           : - 
    '* Out          : UserSamAccountName 
    '* Purpose        : To find out the sAMAccountName of a user 
    '* Comment        : The environemnt variable %USERNAME% holds the 
    '*                  sAMAccountName of the user, so no need to do an 
    '*                  AD lookup... 
    '*================================================================== 
    Function GetUserSAM() 
        On Error Resume Next 
        Dim oWShell 
        Set oWShell = CreateObject("WScript.Shell") ' WScript Shell 
        GetUserSAM = oWShell.ExpandEnvironmentStrings("%USERNAME%") 
        Set oWShell = Nothing 
    End Function 
     
    '*================================================================== 
    '* Name            : DenyWrite 
    '* In           : FolderPath, Trustee 
    '* Out          : - 
    '* Purpose        : Stop users from creating icons on the desktop 
    '* Comment        :  
    '*================================================================== 
    ' 
    Sub DenyWrite(sFolder, sTrustee) 
        On Error Resume Next 
        'Bail out 
        If sFolder = "N/A" Then 
            Exit Sub 
        End If 
         
        'Ace Type definitions 
        Const ADS_ACETYPE_ACCESS_ALLOWED    = 0 
        Const ADS_ACETYPE_ACCESS_DENIED        = &H1 
     
        'AccessMask constants for FILE ACEs 
        Const FILE_WRITE_DATA         = &H2    'file & pipe 
        Const FILE_ADD_FILE         = &H2   'directory 
        Const FILE_APPEND_DATA         = &H4   'file 
        Const FILE_ADD_SUBDIRECTORY = &H4   ' directory 
         
        'AceFlags values for files 
        Const OBJECT_INHERIT_ACE     = &H1 
        Const CONTAINER_INHERIT_ACE = &H2 
         
        'ADS_PATHTYPE_ENUM 
        Const ADS_PATH_FILE         = 1 
        Const ADS_PATH_FILESHARE     = 2 
     
        'ADS_SD_FORMAT_ENUM 
        Const ADS_SD_FORMAT_IID     = 1 
         
        'Variables 
        Dim oAce                  'variable for the new ACE 
        Dim oSD                   'variable for the Security Descriptor of the object 
        Dim oDacl               'variable for the DACL of the object 
        Dim oADsSecurityUtility    'As ADsSecurityUtility 
     
        ' Create an ADsSecurityUtlity object. 
        Set oADsSecurityUtility = CreateObject("ADsSecurityUtility") 
        ' Get the Security Descriptor for the given NTFS File path. 
        Set oSD = oADsSecurityUtility.GetSecurityDescriptor(sFolder, ADS_PATH_FILE, ADS_SD_FORMAT_IID) 
        ' Get the Discrectionary ACL for the key. 
        Set oDacl = oSD.DiscretionaryAcl 
        ' Create an ACE object. 
        Set oAce = CreateObject("AccessControlEntry") 
        ' Set the IADsAccessControlEntry::Trustee attribute. 
        oAce.Trustee = sTrustee 
        ' Set the IADsAccessControlEntry::AccessMask attribute. 
        oAce.AccessMask = FILE_WRITE_DATA + FILE_ADD_SUBDIRECTORY 
        ' Set the IADsAccessControlEntry::AceType attribute. 
        oAce.AceType = ADS_ACETYPE_ACCESS_DENIED  
        ' Set the IADsAccessControlEntry::AceFlags attribute. 
        oAce.AceFlags = OBJECT_INHERIT_ACE Or _ 
                            CONTAINER_INHERIT_ACE 
        ' Place the ACE on the DACL. 
        oDacl.AddACE oAce 
        ' Place the DACL back onto the SD. 
        oSD.DiscretionaryAcl = oDacl 
        ' Place the SD back onto the file. 
        oADsSecurityUtility.SetSecurityDescriptor sFolder, ADS_PATH_FILE, oSD, ADS_SD_FORMAT_IID 
        ' Cleanup. 
        Set oAce                 = Nothing 
        Set oDacl                 = Nothing 
        Set oSD                 = Nothing 
        Set oADsSecurityUtility = Nothing 
    End Sub

  3. Thanks to FN-GM from:

    basicchannel (6th September 2013)

  4. #3
    Valyyn's Avatar
    Join Date
    Jun 2011
    Location
    Portsmouth
    Posts
    202
    Thank Post
    21
    Thanked 62 Times in 44 Posts
    Rep Power
    54
    Might be worth double-checking that they aren't a member of two groups (say, Authenticated Users) which have permission. You could either use the Effective Permissions tool from the security/advanced tab, or you could try setting an explicit Deny on the student group for write permission, as that Deny should override an Allow from another group.

  5. #4
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23
    Quote Originally Posted by Valyyn View Post
    Might be worth double-checking that they aren't a member of two groups (say, Authenticated Users) which have permission. You could either use the Effective Permissions tool from the security/advanced tab, or you could try setting an explicit Deny on the student group for write permission, as that Deny should override an Allow from another group.
    I had already put a deny under create folders etc which makes the mind boggle even more.
    @FN-GM Used your script in the end and it worked. Thank you so much!!!!!!

  6. #5


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,893
    Thank Post
    226
    Thanked 2,674 Times in 1,971 Posts
    Rep Power
    786
    If you don't want any students to be able to save to their desktops, why not simply redirect it to a network share that has Read & Execute permissions?



    That's what we do and it works fine. You also do not need to mess around with any scripts then.

  7. #6
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23
    Quote Originally Posted by Arthur View Post
    If you don't want any students to be able to save to their desktops, why not simply redirect it to a network share that has Read & Execute permissions?



    That's what we do and it works fine. You also do not need to mess around with any scripts then.
    Already done it bruv and it didn't work.

  8. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,947
    Thank Post
    886
    Thanked 1,697 Times in 1,475 Posts
    Blog Entries
    12
    Rep Power
    447
    We redirected to a local drive but didnt work either. The icons are from the user profile not the redirected folder.

  9. #8

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Hiya,

    Does the redirection actually working? i.e. is their desktop pointing to the folder where you applied the permissions or is it pointing to their userprofile? I think you may find that the desktop redirection has not happend and its gone back to the default setting of the desktop being in the userprofile. You can check by looking at the registry of the user (i.e. when the user is logged in)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders\Desktop and see where desktop points.

    You can also check this remotely by getting one the students to login and then from your station navigate to

    HKEY_USERS\<long guid>\Software\Microsoft\Windows\CurrentVersion\Ex plorer\User Shell Folders\Desktop

    if the value of desktop is %userprofile%\desktop then its redirecting to their normal default desktop which they will have write access to and if its the other folder you specified then i'm not sure why its still letting them save stuff.

    Ash.

  10. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,947
    Thank Post
    886
    Thanked 1,697 Times in 1,475 Posts
    Blog Entries
    12
    Rep Power
    447
    Its pointing to both. Is possible.

  11. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    I don't think that is possible, otherwise you may have issues that are being reported on.

  12. #11
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23
    Hi,

    Problem 1: Suddenly that script isn't working any more despite working a few days ago. I've checked RSOP and it's definitely being applied.

    Problem 2: What I've discovered is when a user creates a new doc in desktop, despite the student security group only having read access, the system automatically grants their individual usernames full access to the file/folder. Shouldn't the student security group with read-only permission override this?

  13. #12


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,589
    Thank Post
    228
    Thanked 856 Times in 735 Posts
    Rep Power
    296
    try redirecting to a new share say desktops$ and ignoring ntfs permissions set share permissions to read only for their group and full for admins and leave everyone else off then there should be no way to write to it

  14. Thanks to sted from:

    basicchannel (12th September 2013)

  15. #13
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23
    Quote Originally Posted by sted View Post
    try redirecting to a new share say desktops$ and ignoring ntfs permissions set share permissions to read only for their group and full for admins and leave everyone else off then there should be no way to write to it
    Cheers, I'll give that a go and let y'all know

  16. #14
    basicchannel's Avatar
    Join Date
    May 2010
    Location
    Norfolk, UK
    Posts
    279
    Thank Post
    36
    Thanked 23 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    23
    Right people it looks like following advice from @sted it now does what is should do and take notice of the permissions assigned to it. All I can say is the last day or two has been a nightmare, but once again such a simple solution.

    thanks all.

  17. #15

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    The problem here is that you may have the creator owner entry in the ACL which by default has a full control so if user can write to the location it will have full control to that file because that user has created the file if you know what i mean.

    Ash.

    Quote Originally Posted by basicchannel View Post
    Hi,

    Problem 1: Suddenly that script isn't working any more despite working a few days ago. I've checked RSOP and it's definitely being applied.

    Problem 2: What I've discovered is when a user creates a new doc in desktop, despite the student security group only having read access, the system automatically grants their individual usernames full access to the file/folder. Shouldn't the student security group with read-only permission override this?

SHARE:
+ Post New Thread

Similar Threads

  1. Unable to write on desktop with Smartboard Pens
    By BigRed in forum Educational Software
    Replies: 3
    Last Post: 18th April 2013, 01:24 PM
  2. Restrict user from saving on Desktop
    By dy0ski in forum Windows 7
    Replies: 4
    Last Post: 1st February 2013, 02:20 AM
  3. Replies: 4
    Last Post: 11th July 2012, 03:44 PM
  4. Replies: 1
    Last Post: 22nd February 2012, 12:10 PM
  5. Replies: 5
    Last Post: 19th September 2011, 06:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •