Windows 7 Group Policy Remove Libraries From Desktop
Jahed Stetter
I have two Windows 2012 R2 Domain Controllers and will be implementing 7 Windows 2008 R2 remote desktop servers once their setup and testing is complete (I have one built now that is my test server). I've set up a group policy that redirects the users' My Documents, Music, Pictures, Videos, and Downloads folders to a file server I've built running Windows 2012. The problem I'm having is removing access to the Public Libraries - C:\users\public\documents, music, downloads, etc. - as I don't want anybody to have the ability to save to the local machine. With my test user I know that I can right click My Documents, select the public folder, then click remove for each of the five public folders I don't want them to have access to but I'm looking for a better solution as I don't want to have to remove all 5 folders for all 150+ users manually.
I've looked through the GPOs and searched Google and Server Fault and this doesn't appear to be anything that I can do via group policy. I've started looking into logon scripts but I'm not sure where to begin and I've seen some complaints that the logon scripts simply hide the folders from the navigation panel while leaving them as a usable save location.
This article describes the OneDrive Group Policy objects (GPOs) that administrators can configure by using Group Policy or by using administrative templates in Microsoft Intune. You can use the registry key information in this article to confirm that a setting is enabled.
Install the OneDrive sync app for Windows. (For information on the builds that are being released, and on the download builds, see release notes.) Installing the sync app downloads the .adml and .admx files.
Paste the .admx file in your domain's Central Store, \\\\*domain*\sysvol\domain\Policies\PolicyDefinitions (where domain is your domain name, such as corp.contoso.com), and the .adml file in the appropriate language subfolder, such as en-us. If the PolicyDefinitions folder doesn't exist, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows, or use your local policy store under %windir%\policydefinitions.
Use security filtering to narrow the scope of a setting. By default, a setting is applied to all user and computer objects within the container to which it's linked, but you can use security filtering to narrow the scope of the policy's application to a subset of users or computers. For more information, see Filtering the scope of a GPO.
When you enable or disable a setting, the corresponding registry key is updated on computers in your domain. If you later change the setting back to Not configured, the corresponding registry key isn't modified, and the change doesn't take effect. After you configure a setting, set it to Enabled or Disabled, going forward.
(SharePointOnPremFrontDoorUrl) Specify SharePoint Server URL and organization name. This setting is for customers who have SharePoint Server 2019. For information about using the new OneDrive sync app with SharePoint Server 2019, see Configure syncing with the new OneDrive sync app.
(SharePointOnPremPrioritization) Specify the OneDrive location in a hybrid environment. This setting is for customers who have SharePoint Server 2019. For information about using the new OneDrive sync app with SharePoint Server 2019, see Configure syncing with the new OneDrive sync app.
This setting lets the OneDrive sync app remove all inherited permissions within read-only folders syncing on a user's PC. This removal of inherited permissions improves the performance of the sync app when syncing folders that the user has read-only permission to.
This setting lets you convert synced SharePoint files to online-only files when you enable OneDrive Files On-Demand. If you have many PCs syncing the same team site, enabling this setting helps you minimize network traffic and local storage usage.
If you enable this setting, files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. To use this setting, the computer must be running Windows 10 Fall Creators Update (version 1709) or later, and you must enable OneDrive Files On-Demand.This feature isn't enabled for on-premises SharePoint sites.
This setting lets the OneDrive sync app (OneDrive.exe) upload data in the background only when unused bandwidth is available. It prevents the sync app from interfering with other apps that are using the network. This setting is powered by the Windows LEDBAT (Low Extra Delay Background Transport) protocol. When LEDBAT detects increased latency that indicates other TCP connections are consuming bandwidth, the sync app will reduce its own consumption to prevent interference. When network latency decreases again and bandwidth is freed up, the sync app will increase the upload rate and consume the unused bandwidth.
If you enable or disable this setting, and then change it back to Not Configured, the last configuration will remain in effect. We recommend enabling this setting instead of Limit the sync app upload speed to a fixed rate. You shouldn't enable both settings at the same time. This setting will override Limit the sync app upload rate to a percentage of throughput if both are enabled on the same device.
If you enable this setting, the OneDrive sync app will report device and health data to include in administrative sync reports. You must enable this setting on the devices you want to get reports from.
This setting lets you enter keywords to prevent the OneDrive sync app (OneDrive.exe) from uploading certain folders to OneDrive or SharePoint. You can enter complete names, such as "Projects" or use the asterisk (*) as a wildcard character to represent a series of characters.
This setting lets you enter keywords to prevent the OneDrive sync app (OneDrive.exe) from uploading certain files to OneDrive or SharePoint. You can enter complete names, such as "setup.exe", or use the asterisk (*) as a wildcard character to represent a series of characters, such as *.pst. Keywords aren't case-sensitive.
This setting will only block files that match your specification. It won't apply to existing files that are renamed to match the specified keywords. Additionally, new files that are created inside the synced folder and named to match the specified keywords will also not be blocked.
In File Explorer, the files appear with an "Excluded from sync" icon in the Status column. The OneDrive sync app must be restarted after this setting is enabled, for the setting to take effect.
Users can still browse to their OneDrive in a web browser to upload a file that has been excluded from their local OneDrive folder. We recommend that users remove the local file after doing this upload because having a file with the same name in the same folder will result in a sync conflict with the skipped file.
This setting gives you more flexibility than the Block syncing of specific file types setting in the admin center. Also, with this setting, users don't see errors for the excluded files. This setting doesn't support upload of Office files that are being excluded. All other file types are supported.
When a user deletes local files from a synced location, a warning message appears that the files will no longer be available across all the devices of the user and on the web. This setting lets you hide the warning message.
If you enable this setting, users won't see the Deleted files are removed everywhere reminder when they delete files locally. (This reminder is called "Deleted files are removed for everyone" when a user deletes files from a synced team site.)
Enable: Enable this setting if you want to suppress the messages from being displayed to your users; yet, allow them to manually configure their Consumer accounts to sync with their OneDrive Consumer files.
This setting lets you balance the performance of different upload tasks on a computer by specifying the percentage of the computer's upload throughput that the OneDrive sync app (OneDrive.exe) can use to upload files. Setting this throughput as a percentage lets the sync app respond to both increases and decreases in throughput. The lower the percentage you set, the slower the files get uploaded. We recommend a value of 50% or higher. The sync app periodically uploads without restriction for one minute and then slows down to the upload percentage you set. This pattern lets small files upload quickly while preventing large uploads from dominating the computer's upload throughput. We recommend enabling this setting temporarily when you roll out Silently move Windows known folders to OneDrive, or Prompt users to move Windows known folders to OneDrive to control the network impact of uploading known folder contents.
The maximum throughput value detected by the sync app can sometimes be higher or lower than expected because of the different traffic-throttling mechanisms that your Internet Service Provider (ISP) might use.
For information about estimating the network bandwidth you need for a sync, see Network utilization planning for the OneDrive sync app.
If you enable this setting and enter a percentage (from 10 to 99) in the Bandwidth box, computers use the percentage of upload throughput that you specify when uploading files to OneDrive, and users can't change it.
If you disable or don't configure this setting, users can choose to limit the upload rate to a fixed value (in KB/second), or set it to Adjust automatically, which sets the upload rate to 70% of throughput. For information about the end-user experience, see Change the OneDrive sync app upload or download rate.
If you enable or disable this setting, and then change it back to Not Configured, the last configuration remains in effect. We recommend enabling this setting instead of Limit the sync app upload speed to a fixed rate to limit the upload rate. You shouldn't enable both settings at the same time.
7fc3f7cf58