While Group Policy can easily hide entire drives, restricting write access to specific user folders like Desktop, Documents, Pictures etc. requires more granular control. These special folders have unique permission structures that often bypass standard drive restrictions.
Here's the step-by-step approach to implement this restriction:
1. Open Group Policy Management Console (gpmc.msc) 2. Create/edit a GPO that applies to target users 3. Navigate to: User Configuration → Policies → Windows Settings → Folder Redirection 4. For each folder (Desktop, Documents, etc.): a. Right-click and select Properties b. Set to "Basic - Redirect everyone's folder to the same location" c. Enter a network path (e.g. \\server\restricted_storage\%username%) d. Under Settings tab, select "Grant the user exclusive rights" = Disabled e. Select "Move the contents..." = Disabled
For maximum restriction, combine with these NTFS permissions on the original folders:
icacls "%USERPROFILE%\Desktop" /inheritance:r /deny "Everyone":(OI)(CI)(IO)(DE,DC,WDAC,WO,WEA,WA) icacls "%USERPROFILE%\Documents" /inheritance:r /deny "Everyone":(OI)(CI)(IO)(DE,DC,WDAC,WO,WEA,WA)
For environments where folder redirection isn't feasible, modify these registry keys:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoSaveSettings"=dword:00000001 "DisablePersonalDirChange"=dword:00000001
After implementation, verify using:
gpresult /r /scope:user icacls "%USERPROFILE%\Desktop"
Note that Windows XP may require additional legacy client-side extensions for full GPO support.
While many administrators successfully restrict drive access through Group Policy, the special shell folders in user profiles often remain vulnerable to file storage. These include:
- Desktop
- Documents (My Documents)
- Music
- Videos
- Pictures
- Downloads
These folders have unique characteristics in Windows:
- They're virtual folders mapped under each user's profile path (e.g., C:\Users\Username\)
- They maintain special CLSIDs in the Windows registry
- They often bypass traditional drive restriction policies
We'll implement a multi-layered approach:
1. Filesystem Permissions via GPO
Create a Group Policy Object with these settings:
Computer Configuration → Policies → Windows Settings → Security Settings → File System
Add each profile folder path with these NTFS permissions:
Principal: Authenticated Users Type: Deny Permissions: Modify, Write, Create files, Create folders Apply to: This folder, subfolders and files
2. Registry Redirection (XP/Vista Compatibility)
For legacy systems, modify these registry keys:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] "Desktop"=- "My Music"=- "My Pictures"=- "My Video"=- "Personal"=-
Deploy via Group Policy Preferences with the "Delete" action.
3. Folder Redirection Policy
Force redirection to read-only network locations:
User Configuration → Policies → Windows Settings → Folder Redirection Set Documents to: \\fileserver\readonly\%username%\Documents
4. PowerShell Deployment Script
For granular control, deploy this script at logon:
$folders = @("Desktop","Documents","Music","Pictures","Videos")
foreach ($folder in $folders) {
$path = [Environment]::GetFolderPath($folder)
if (Test-Path $path) {
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"Authenticated Users",
"Modify, Write, CreateFiles",
"ContainerInherit,ObjectInherit",
"None",
"Deny")
$acl.AddAccessRule($rule)
Set-Acl -Path $path -AclObject $acl
}
}
After implementation, test these scenarios:
- Attempt to create new files in restricted folders
- Verify existing files remain readable but not modifiable
- Check Event Viewer for access denied events (ID 465)
For kiosk or terminal server environments, combine with these policies:
User Configuration → Administrative Templates → Windows Components → File Explorer "Prevent access to drives from My Computer" → Enabled "Hide these specified drives in My Computer" → Enabled (All Drives)