I am using Group Policies and have been able to block our users from saving to the hard drive, we use a desktop management program called CybraryN that sits on top of Windows, between the GP and this program I have been able to control most issues. Our goal is for the user to use a Flash Drive and save their work to that. We are finding more files on the desktop and they are not being cleared when the computer reboots. I would like to be able to block our public users from saving to the desktop if possible through Group Policy but if you have another way I would be intrested. thanks GayrGary Krajacic Fayetteville Free Library

We are doing this exact type of lockdown in our citrix environment. I have a batch file running in our GPO logon script, which in turn calls a powershell file. I wrote this when I first started out with powershell so it's not as clean as I'd like. Also, it requires subinacl.exe in the system32 folder. I don't recall why I have the folder permission set to system and then back again to the user for Server 2008 systems, I really need to comment my scripts more. $OSinfo = Gwmi Win32_OperatingSystem $OSinfo = $OSinfo.caption $server2008 = $false If($OSinfo -eq "Microsoft Windows Server 2008 R2 Standard ") {$server2008 = $true} $Domain = "<your domain>" $Folder = "$env:userprofile\Desktop" If($server2008) {cmd /c "subinacl.exe /file $Folder /setowner=System"} If((Test-Path $Folder) -eq 0) {New-Item -type directory -path $Folder} $Acl = Get-Acl $Folder $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("$Domain\$env:username","Write","Deny") $Acl.SetAccessRule($Ar) $Acl | Set-Acl $Folder If($server2008) {cmd /c "subinacl.exe /file $Folder /setowner=$Domain\%username%"}

any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.