A lot of people like to save their documents directly on the desktop. This can lead to undesirable situations. If redirected folders aren’t used and a person logs on to another pc, their saved documents on the desktop are gone. When redirected folders are used, it can affect logon times and an unwanted and uncontrolled growth of data (e.g. which copy is the most recent and valid copy, ISO 9001 issue!). Also saving files on a desktop in a server based computing environment isn’t something desirable!
So the idea is to restrict people in writing documents to the desktop except for shortcuts and URLs. Easier said than done! I’ve found the following solution to work well. It is using folder redirection of the desktop to a file server, then on that folder we set a file screening for all files except *.lnk and *.url causing any attempt to save another type of file an access denied error.
Folder redirection can be configured using a group policy object in AD, or within a solution like RES Workspace Manager which is widely used in server based computing environments.
Step 1. Create share on file server
In order to enable folder redirection, a share on a file server is needed. The share itself will have everyone – full control permissions, the actual file permissions are set on NTFS level. Important one to set is Creator Owner to full control!
Normally when folder redirection is used, not just the desktop is redirected but also the documents folder etc. This normally leads to a folder structure like:
This structure makes is quite difficult to restrict file creation on just the desktop folders. So it’s easier to redirect the desktops to a separate share, something like this:
\\fileserver\desktops leading to
By putting the file screening on the \\fileshare\desktop all subfolders are automatically screened as well
Step 2. Configure the file screening
On the file server make sure the role “File server resource manager” is installed. This role is available in Windows Server since version 2003 R2.
Open the File Server Resource Manager console and expand File Screening Management:
Right click on File Screens and choose “create file screen”
Select the physical path you want to put the file screen on:
Next a custom file screen must be created. Select “Define custom file screen properties” and click on the button “Custom Properties”
There are two option to perform file screening: active and passive. To actually block files from being written, the Active screening is used.
We are going to define our own file group instead of using one of the predefined ones. Click on the “Create” button
Give a name to the new file group and enter *.* for files to include. This will block ANY file to be written to the file location. For desktops we want to allow shortcuts (*.lnk) and Internet URLs (*.url) so we add those extensions to the “Files to exclude”
Once finished click on “OK”
Now make sure that the newly created file group is selected and click “OK” again
Once the new file screen has been saved, it is active. No files can be saved anymore except for shortcuts and URLs!