Skip to main content

Can you use a file screen to prevent files from being redirected?

Yes you can. The scenario here is we have set up our clients, through Group Policy, to redirect the desktop to a server. I have also set up a files screen on the shared folder that will host the data. This file screen is configured to block .TXT files. When the user tries to create a .TXT file on their desktop, they are prevented from doing so. Below is the setup procedure to do this.

Step 1: configure the folder to hold the user data.

I created a folder on my server

Next I shared it by right clicking the folder and selecting Properties.

 

image

Click Advanced Sharing.

Click Permissions.

Click Add

In the Enter the object names to select box, type Authenticated Users and click Check Names.

Click OK

image

Click Authenticated Users

Check Full Control.

Click OK

Click OK

Click Close

The folder is not set up for your users to have their desktops redirected to this location.

 

Step 2

We now need to create the Group Policy that will redirect the users desktop to this location.

On your Domain Controller, click Start / Administrator Tools / Group Policy Management

Expand the tree until you expand Group Policy Objects.

Right click Group Policy Objects and click New.

image

Give the GPO a name.  In this example, we will call it DesktopRedirection.  Click OK

Under Group Policy Objects, right click DesktopRedirection and then click Edit.

Expand User Configuration / Windows Settings / Folder Redirection.

Right click Desktop and select Properties.

In the Settings drop down box, select Basic – Redirect everyone’s folder to the same location.

In Target folder location select Create a folder for each user under the root path.

IN Root Path, enter the UNC path to the folder we created earlier.  In this example, it is \\MCT-1\Desktop.

image

Click the Settings tab.

By default, Grant the user exclusive rights to Desktop.  For this example, I unchecked it.

Click OK

image

Close Group Policy Management Editor

In the Group Policy Management window, drag and drop the GPO onto the Organizational Unit that holds your user accounts.  Remember, you cannot link a GPO to the default users container.

This policy is now being applied to your users.

 

Step 3 Install FSRM

On the server that holders the Desktop folder, clickStart \ Administrator Tools \ Server Manager

You need to add the File Server Resource Manager Role service to this server.  If File Services are not installed, click Add Roles and add the File Services role to this computer.

In Server Manager click Roles.

Scroll down until you get to the Role Services section and click Add Role Services

image

Check File Server Resource Manager and then click Next.

Select the drive that you have the Desktop folder on.

Click Next

Click install.

Close the window when completed.

 

Step 4 Set up the file screen

Click Start / Administrator Tools / File Server Resource Manager

Expand File Screen Management

Right click File Screens and select Create File Screen.

In the File screen path, choose the Desktop folder that you created.

In Derive properties from this file screen template (recommended), choose the file screen you want to use.  For our example, we are using a custom file screen.  This screen blocks .TXT files.

image

We are now ready to test the screen

Log into your client as a user who has the Group Policy applied to them.

Attempted to create a .TXT file.  You should receive an error like the one below:

image

If not, make sure your group policies have replicated and this client has downloaded the policy.

Comments

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Where did a User’s Account Get Locked Out?

Updated: May 15, 2015 When this article was originally published, two extra carriage returns were add causing the code to malfunction.  The code below is correct.   My client for this week’s PowerShell class had a really interesting question. They needed to know where an account is being locked out at. OK, interesting. Apparently users hop around clients and forget to log off, leading to eventual lock out of their accounts. The accounts can be unlocked, but are then relocked after Active Directory replication. This problem is solved in two parts. The first one is to modify the event auditing on the network. The second part is resolved with PowerShell. The first part involves creating a group policy that will encompass your Domain Controllers. In this GPO, make these changes. Expand Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management Double click User Account Management C...