Desktop (read-only)

[Guest Chris]

Community,

 

I have a terminal server, each uses the Default User to create their

standard profile locally. Once the user is created, I move custom icons to

their desktop as they are needed.

 

A TS shared profile will not work in this scenario, since desktop's may be

different.

 

I want to make the Desktop read-only, so they cannot use the context-menu to

create new documents or save any material to their desktop. Forcing all

saving to done to the network share.

 

Termianl Server is a member server, using GP Loopback with replace to keep

their settings unique for desktop/TS.

 

I have tried to implement a login script at the GPO level for this group

that revokes the permissions and sets it to read-only. No luck.

 

 

subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

/revoke=DOMAIN\%username%

subinacl.exe /subdirectories "%userprofile%\Desktop"

/grant=DOMAIN\%username%=R

subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

/grant=DOMAIN\%username%=R

pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

/revoke=SCOTIANGOLD\%username%

subinacl.exe /subdirectories "%userprofile%\Desktop"

/grant=SCOTIANGOLD\%username%=R

subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

/grant=SCOTIANGOLD\%username%=R

 

 

Any suggestions?

[Guest Jeff Pitsch]

Re: Desktop (read-only)

 

You could redirect the start menu's and then assign your own

permissions. That's how I've done it in the past. You can also disable

the context menu completely through Group Policy.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

Chris wrote:

> Community,

>

> I have a terminal server, each uses the Default User to create their

> standard profile locally. Once the user is created, I move custom icons to

> their desktop as they are needed.

>

> A TS shared profile will not work in this scenario, since desktop's may be

> different.

>

> I want to make the Desktop read-only, so they cannot use the context-menu to

> create new documents or save any material to their desktop. Forcing all

> saving to done to the network share.

>

> Termianl Server is a member server, using GP Loopback with replace to keep

> their settings unique for desktop/TS.

>

> I have tried to implement a login script at the GPO level for this group

> that revokes the permissions and sets it to read-only. No luck.

>

>

> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

> /revoke=DOMAIN\%username%

> subinacl.exe /subdirectories "%userprofile%\Desktop"

> /grant=DOMAIN\%username%=R

> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

> /grant=DOMAIN\%username%=R

> pause::subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

> /revoke=SCOTIANGOLD\%username%

> subinacl.exe /subdirectories "%userprofile%\Desktop"

> /grant=SCOTIANGOLD\%username%=R

> subinacl.exe /subdirectories "%userprofile%\Desktop\*.*"

> /grant=SCOTIANGOLD\%username%=R

>

>

> Any suggestions?