Restrict Users from saving files on the Desktop
  • 22 Jan 2024
  • 1 Minute to read
  • PDF

Restrict Users from saving files on the Desktop

  • PDF

Article summary

The following PowerShell script helps the IT Admins to prevent the users from being able to save a file directly on the Desktop.

  • Create a file on your desktop, for example, restrict_desktop.ps1 and open it in a text editor like notepad++
  • Copy the contents below to the file or click hereto download the file.
    $UsersList=(Get-WmiObject -Class Win32_UserAccount -filter "LocalAccount = True" | Select name)
    ForEach($SystemUser in $UsersList)  
    	# Exclude Administrator and Built-in accounts
    	# CompareTo returns 0 if strings are equal
    	if($SysUser.CompareTo("Administrator") -and $SysUser.CompareTo("Guest") -and $SysUser.CompareTo("DefaultAccount"))
    		IF((Test-Path -Path $UserDesktopPath) -eq $true) {
    			icacls "$UserDesktopPath" /grant "$($SysUser):M"
    			icacls "$UserDesktopPath" /deny "$($SysUser):W" /inheritance:e

  • This script will block the Local users on the device from saving/creating a file on the Desktop directly.
  • This is a PowerShell script that grants Modify permissions and denies Write permissions for each local user's desktop folder. The script does the following:
    • Queries Win32_UserAccount class for all local accounts using the "Get-WmiObject" cmdlet and selects the account name.
    • Iterates over each account in the list and excludes the "Administrator," "Guest," and "DefaultAccount".
    • Sets the user's desktop path to "C:\Users$SysUser\Desktop" and checks if the path exists.
    • If the path exists, it uses the "icacls" cmdlet to grant Modify permissions to the user and deny Write permissions to the user, including subdirectories.
  • Follow our guide to upload & publish the PowerShell script using Scalefusion Dashboard.
  • Once the script is successfully executed, you will be able to see the status of the same in the View Status report on the Scalefusion dashboard.
Please note that to use the PowerShell scripts, the Scalefusion MDM Agent Application must be installed on the device(s). Please follow our guide to publish and install the Scalefusion MDM Agent Application

  1. The scripts and their contents are sourced from various albeit authenticated Microsoft sources and forums.
  2. Please validate the scripts on a test machine before deploying them on all your managed devices.
  3. Scalefusion has tested these scripts, however, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these scripts.

Was this article helpful?