Guest Chris Posted September 23, 2008 Posted September 23, 2008 Community, I have a terminal server, each uses the Default User to create their standard profile locally. Once the user is created, I move custom icons to their desktop as they are needed. A TS shared profile will not work in this scenario, since desktop's may be different. I want to make the Desktop read-only, so they cannot use the context-menu to create new documents or save any material to their desktop. Forcing all saving to done to the network share. Termianl Server is a member server, using GP Loopback with replace to keep their settings unique for desktop/TS. I have tried to implement a login script at the GPO level for this group that revokes the permissions and sets it to read-only. No luck. subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" /revoke=DOMAIN\%username% subinacl.exe /subdirectories "%userprofile%\Desktop" /grant=DOMAIN\%username%=R subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" /grant=DOMAIN\%username%=R pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" /revoke=SCOTIANGOLD\%username% subinacl.exe /subdirectories "%userprofile%\Desktop" /grant=SCOTIANGOLD\%username%=R subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" /grant=SCOTIANGOLD\%username%=R Any suggestions?
Guest Jeff Pitsch Posted September 23, 2008 Posted September 23, 2008 Re: Desktop (read-only) You could redirect the start menu's and then assign your own permissions. That's how I've done it in the past. You can also disable the context menu completely through Group Policy. Jeff Pitsch Microsoft MVP - Terminal Services Chris wrote: > Community, > > I have a terminal server, each uses the Default User to create their > standard profile locally. Once the user is created, I move custom icons to > their desktop as they are needed. > > A TS shared profile will not work in this scenario, since desktop's may be > different. > > I want to make the Desktop read-only, so they cannot use the context-menu to > create new documents or save any material to their desktop. Forcing all > saving to done to the network share. > > Termianl Server is a member server, using GP Loopback with replace to keep > their settings unique for desktop/TS. > > I have tried to implement a login script at the GPO level for this group > that revokes the permissions and sets it to read-only. No luck. > > > subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" > /revoke=DOMAIN\%username% > subinacl.exe /subdirectories "%userprofile%\Desktop" > /grant=DOMAIN\%username%=R > subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" > /grant=DOMAIN\%username%=R > pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" > /revoke=SCOTIANGOLD\%username% > subinacl.exe /subdirectories "%userprofile%\Desktop" > /grant=SCOTIANGOLD\%username%=R > subinacl.exe /subdirectories "%userprofile%\Desktop\*.*" > /grant=SCOTIANGOLD\%username%=R > > > Any suggestions?
Recommended Posts