Skip to main content

Can you use a file screen to prevent files from being redirected?

Yes you can. The scenario here is we have set up our clients, through Group Policy, to redirect the desktop to a server. I have also set up a files screen on the shared folder that will host the data. This file screen is configured to block .TXT files. When the user tries to create a .TXT file on their desktop, they are prevented from doing so. Below is the setup procedure to do this.

Step 1: configure the folder to hold the user data.

I created a folder on my server

Next I shared it by right clicking the folder and selecting Properties.

 

image

Click Advanced Sharing.

Click Permissions.

Click Add

In the Enter the object names to select box, type Authenticated Users and click Check Names.

Click OK

image

Click Authenticated Users

Check Full Control.

Click OK

Click OK

Click Close

The folder is not set up for your users to have their desktops redirected to this location.

 

Step 2

We now need to create the Group Policy that will redirect the users desktop to this location.

On your Domain Controller, click Start / Administrator Tools / Group Policy Management

Expand the tree until you expand Group Policy Objects.

Right click Group Policy Objects and click New.

image

Give the GPO a name.  In this example, we will call it DesktopRedirection.  Click OK

Under Group Policy Objects, right click DesktopRedirection and then click Edit.

Expand User Configuration / Windows Settings / Folder Redirection.

Right click Desktop and select Properties.

In the Settings drop down box, select Basic – Redirect everyone’s folder to the same location.

In Target folder location select Create a folder for each user under the root path.

IN Root Path, enter the UNC path to the folder we created earlier.  In this example, it is \\MCT-1\Desktop.

image

Click the Settings tab.

By default, Grant the user exclusive rights to Desktop.  For this example, I unchecked it.

Click OK

image

Close Group Policy Management Editor

In the Group Policy Management window, drag and drop the GPO onto the Organizational Unit that holds your user accounts.  Remember, you cannot link a GPO to the default users container.

This policy is now being applied to your users.

 

Step 3 Install FSRM

On the server that holders the Desktop folder, clickStart \ Administrator Tools \ Server Manager

You need to add the File Server Resource Manager Role service to this server.  If File Services are not installed, click Add Roles and add the File Services role to this computer.

In Server Manager click Roles.

Scroll down until you get to the Role Services section and click Add Role Services

image

Check File Server Resource Manager and then click Next.

Select the drive that you have the Desktop folder on.

Click Next

Click install.

Close the window when completed.

 

Step 4 Set up the file screen

Click Start / Administrator Tools / File Server Resource Manager

Expand File Screen Management

Right click File Screens and select Create File Screen.

In the File screen path, choose the Desktop folder that you created.

In Derive properties from this file screen template (recommended), choose the file screen you want to use.  For our example, we are using a custom file screen.  This screen blocks .TXT files.

image

We are now ready to test the screen

Log into your client as a user who has the Group Policy applied to them.

Attempted to create a .TXT file.  You should receive an error like the one below:

image

If not, make sure your group policies have replicated and this client has downloaded the policy.

Comments

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...