Normally we lock down our desktop images so that local users cannot modify the Windows XP desktops. We have some new staff members involved in the image creation process this year, and not all of our usual modifications made it onto all the images before they were deployed. Because of this, and because we really don’t want to reimage at this time, I needed a solution that would stop users who logged locally onto the Windows machine as ‘student’ from adding or removing items from the desktop without using local or Zenworks Group Policies (it’s a political thing).
I wrote this script, which can be pushed down via a batch file, Zenworks, or even can be dsployed using psexec. It uses cacls.exe, which is found in c:\windows\system32 in a default Windows XP installation.
cacls.exe “c:\Documents and Settings\Student\Desktop” /T /E /R Student
cacls.exe “c:\Documents and Settings\Student\Desktop” /T /E /G Student:R
On the first line, cacls revokes all permissions granted to ‘Student’ for the c:\Documents and Settings\Student\Desktop folder and any files or subdirectories it contains.
On the second line cacls grants the Read permission ‘Student’ for the c:\Documents and Settings\Student\Desktop folder and any files or subdirectories it contains.
For more information on using cacls.exe and automating the process of setting permissions, see KB 180464, KB162786, KB 135268, KB 810142, KB 897103. Tech Republic also has a cacls.exe quick reference you can download for free.
For Windows Vista users, check out icacls.exe, which is an updated and far more powerful version of cacls.exe.