Deny Domain User Save Files on Desktop and Drive C Using Group Policy

Introduction

In this demonstration, I will attempt to remove all items from the desktop and deny access to the C drive, as well as prevent saving files to the desktop for the student user group using Windows Active Directory policy. In some organizational scenarios, we can install all necessary and important software programs and the operating system on the C drive partition, then prohibit access to this C drive for users. This will add an extra security layer for the organization. We can add another separate disk partition to store user data and additional programs. This restriction enhances data security and prevents potential issues arising from unauthorized file placement on critical system drives. The policy involves configuring Group Policy settings to restrict domain users from saving files on the Desktop and the C drive in a Windows Server environment. This security measure aims to enhance data protection, reduce the risk of unauthorized access or modification, and enforce best practices for file management.

Feature Details

Functionality

• This policy hides and disables all items on the desktop for users within the specified scope.
• This policy hides specific drives in the My Computer (or This PC) window, preventing users from accessing or saving files directly to those drives.

Importance

• By implementing this policy, you restrict users from saving files directly on the desktop. This can be crucial for maintaining a clean and organized desktop environment, reducing the risk of accidental file deletion, and preventing unauthorized access to sensitive files.
• It is useful for securing sensitive or critical drives (such as Drive C) and preventing users from saving files on them. This can help protect system files and configurations from accidental modifications by non-administrative users.
• important software programs and operating system can store in C drive partition and we can prohibit to access this C drive for users. It will add extra security layer for organization. We can add another separate disk partition for store user’s data and additional programs.
• We are ensuring that users cannot save files directly to the desktop, and they are restricted from accessing or saving files on specified drives (such as Drive C). This can be particularly important in environments where strict access control and data security are paramount.

Potential Benefits

• Improved desktop aesthetics, reduced clutter, enhanced security, and decreased chances of accidental file misplacement or deletion.
• Enhanced security, reduced risk of unauthorized access or modifications to critical system drives, and better control over user access to specific storage resources.

Implementation Process

• First, open the Server Manager, and then open the Group Policy Management Console (GPMC) by navigating to Tools > Group Policy Management.
• Create a new group policy object.
• Right-click and select “New” to create a new policy. In this case, create a new Group Policy Object called “Deny Domain User Save Files on Desktop and Drive C Policy”.

Create Group Policy

• Then, right-click and select Edit.

Edit Policy

• In this demonstration, I use three policies to accomplish this task. The first policy is “Hide and disable all items on the desktop.” Navigate to User Configuration > Policies > Administrative Templates > Desktop, and find this policy. After that, right-click on it and select Edit.

Add Disable and Hide items on Desktop Policy

• Then enable the policy and click Apply button.

Enable Policy

• Then we add a second policy to it. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > File Explorer, and then find “Hide these specified drives in My Computer.” Right-click and select Edit.

Edit Policy

• Then enable this policy and select Restrict C drive only.

Restrict C Drive

• Users can still access the C drive through the address bar. We should also restrict this. To do so, we add another policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then right-click and select Add File.

Add File

• Then add Local Disk C.

Add C Drive

• First, add the Student group. In this demonstration, we will prohibit access to the C drive for the Student group. Additionally, we will remove all permissions for the Student group. In that demonstration scenario, student users are the typical users in our organization. However, staff users in the IT department can still access the C drive with administrative credentials. This allows them to access any PC’s C drive if necessary, for tasks such as troubleshooting system or driver issues.

Student Group Permission

• Then click Apply and OK. A notification will then pop up. Click OK on the notification.

Add object

• Then we can see %SystemDrive%\ is added.

System Drive Added

• Now, let’s link this policy to the Student group. Right-click on the Student OU and select Link an Existing GPO.

Add Policy to Student Group

• Then add “Deny Domain User Save Files on Desktop and Drive C Policy” to the student group.

Select Policy

• Then go back to Client PC (student user) and type the command “gpupdate/force”.

Update Group Policies

• Now we can see all icons on the desktop are hidden, and when we go to this PC, we cannot see the C disk drive partition in there.

All Desktop Icon Removed

C Drive is hidden

• When we try to access C drive through the address bar, this message box will pop up. So we confirmed that student users even cannot use the address bar to access C drive.

C drive cannot access

C drive is not Accessible

• Then our configuration is complete and successful. Now student users cannot access the C drive, and they cannot store files on the desktop. Also, they cannot use the address bar to access a hidden drive.

Lab Observation

• When we add this policy to the user, I will hide all items already added to the desktop. Because of that, we should warn the user about this before applying this policy. When we added this policy, files were already hidden, so users could not access them. If we remove this policy, we can again access the files that were previously available on the desktop.
• The implementation process was straightforward, thanks to the intuitive interface of Group Policy Management Console.
• Users were restricted from saving files on the desktop, and their desktop folders were successfully redirected to the network location. We can use the redirection policy to manage user files accurately. As an example, we can redirect users’s files to a file server on the local network or cloud storage.
• If we use redirection policy, some users may experience a brief delay during the first logon as the desktop folder is redirected, but subsequent logons are faster.
• The startup time on a PC is slightly reduced after enabling this policy. If users store large files on the C drive and desktop, sometimes the startup process will take a long time, especially on PCs, which have a small memory capacity and do not have SSDs.

Conclusion

The implemented features of denying users the ability to save files on the desktop and redirecting their desktop folders contribute significantly to the overall security posture of a Windows Server environment. These measures enforce data security policies, reduce the risk of data loss, and facilitate centralized management. Properly configured Group Policy Objects and Folder Redirection enhance server management by providing a robust framework for implementing and enforcing security policies.

In my upcoming artcle, I intend to go over yet another crucial Windows Server feature.

previous part of this series — Click here >>