Mandatory Profiles - Read Only Desktop

[Guest Kristin Griffin]

Hi Folks,

 

I have a terminal server farm (windows 2008) and I am using one mandatory

profile for all users. This works fine, except that users can save things

to their desktops and then when they log off, those files are discarded.

Not good. So I want to create a read only desktop.

 

I can do this if I redirect the Desktop folder to a network share, allow the

Folder Redirection GPO "create a folder for each user under the root path",

and then change the Desktop folder permissions to Read only after the user

logs in and out the first time. It works, but this is a PITA.

 

I read in Jeremy Moskowitz's GP green book (page 385) that I should be able

to create one desktop folder, and have everyone use the same one. This does

not work. Here is what I do.

 

I create a folder share, \\ozark\ash-ts-read-only-desktop and give users

NTFS read only access to the folder. I give one user full control, so he

can log in and out and the desktop stuff will be written to this folder. I

set the GPO to redirect the desktop folder, but this time I tell it to

"Redirect to the following location", \\ozark\ash-ts-read-only-desktop .

Then I log in and out of the terminal server as that user. This puts the

right desktop stuff into my desktop network share. The problem is that this

user needs to be the owner of that network share folder in order for that to

happen. When I remove that user's permissions so that all users again have

read only rights, and change the owner of the folder to administrators,

folder redirection fails.

 

So how can you have all users use ONE read only desktop? Anyone know?

[Guest compsosinc@gmail.com]

Re: Mandatory Profiles - Read Only Desktop

 

On Mar 22, 7:59 pm, "Kristin Griffin" <kristin.l.grif...@gmail.com>

wrote:

> Hi Folks,

>

> I have a terminal server farm (windows 2008) and I am using one mandatory

> profile for all users.  This works fine, except that users can save things

> to their desktops and then when they log off, those files are discarded.

> Not good.  So I want to create a read only desktop.

>

> I can do this if I redirect the Desktop folder to a network share, allow the

> Folder Redirection GPO "create a folder for each user under the root path",

> and then change the Desktop folder permissions to Read only after the user

> logs in and out the first time.  It works, but this is a PITA.

>

> I read in Jeremy Moskowitz's GP green book (page 385) that I should be able

> to create one desktop folder, and have everyone use the same one. This does

> not work.  Here is what I do.

>

> I create a folder share, \\ozark\ash-ts-read-only-desktop and give users

> NTFS read only access to the folder.  I give one user full control, so he

> can log in and out and the desktop stuff will be written to this folder. I

> set the GPO to redirect the desktop folder, but this time I tell it to

> "Redirect to the following location", \\ozark\ash-ts-read-only-desktop .

> Then I log in and out of the terminal server as that user.  This puts the

> right desktop stuff into my desktop network share. The problem is that this

> user needs to be the owner of that network share folder in order for that to

> happen.  When I remove that user's permissions so that all users again have

> read only rights, and change the owner of the folder to administrators,

> folder redirection fails.

>

> So how can you have all users use ONE read only desktop?  Anyone know?

 

Have you figured ths out yet? I

[Guest Kristin L. Griffin]

Re: Mandatory Profiles - Read Only Desktop

 

Got it. :)

 

"compsosinc@gmail.com" wrote:

> On Mar 22, 7:59 pm, "Kristin Griffin" <kristin.l.grif...@gmail.com>

> wrote:

> > Hi Folks,

> >

> > I have a terminal server farm (windows 2008) and I am using one mandatory

> > profile for all users. This works fine, except that users can save things

> > to their desktops and then when they log off, those files are discarded.

> > Not good. So I want to create a read only desktop.

> >

> > I can do this if I redirect the Desktop folder to a network share, allow the

> > Folder Redirection GPO "create a folder for each user under the root path",

> > and then change the Desktop folder permissions to Read only after the user

> > logs in and out the first time. It works, but this is a PITA.

> >

> > I read in Jeremy Moskowitz's GP green book (page 385) that I should be able

> > to create one desktop folder, and have everyone use the same one. This does

> > not work. Here is what I do.

> >

> > I create a folder share, \\ozark\ash-ts-read-only-desktop and give users

> > NTFS read only access to the folder. I give one user full control, so he

> > can log in and out and the desktop stuff will be written to this folder. I

> > set the GPO to redirect the desktop folder, but this time I tell it to

> > "Redirect to the following location", \\ozark\ash-ts-read-only-desktop .

> > Then I log in and out of the terminal server as that user. This puts the

> > right desktop stuff into my desktop network share. The problem is that this

> > user needs to be the owner of that network share folder in order for that to

> > happen. When I remove that user's permissions so that all users again have

> > read only rights, and change the owner of the folder to administrators,

> > folder redirection fails.

> >

> > So how can you have all users use ONE read only desktop? Anyone know?

>

> Have you figured ths out yet? I

>