Restrict Users from saving files on the Desktop

The following PowerShell script helps the IT Admins to prevent the users from being able to save a file directly on the Desktop.

• Create a file on your desktop, for example, restrict_desktop.ps1 and open it in a text editor like notepad++
• Copy the contents below to the file or click hereto download the file.
  ShellShell

  $UsersList=(Get-WmiObject -Class Win32_UserAccount -filter "LocalAccount = True" | Select name)
  ForEach($SystemUser in $UsersList)  
  { 
  	$SysUser=$systemUser.name
  	# Exclude Administrator and Built-in accounts
  	# CompareTo returns 0 if strings are equal
  	if($SysUser.CompareTo("Administrator") -and $SysUser.CompareTo("Guest") -and $SysUser.CompareTo("DefaultAccount"))
  	{
  		$UserDesktopPath="C:\Users\$SysUser\Desktop"
  		IF((Test-Path -Path $UserDesktopPath) -eq $true) {
  			icacls "$UserDesktopPath" /grant "$($SysUser):M"
  			icacls "$UserDesktopPath" /deny "$($SysUser):W" /inheritance:e
  		}
  	}
  }

  
  
• This script will block the Local users on the device from saving/creating a file on the Desktop directly.
• This is a PowerShell script that grants Modify permissions and denies Write permissions for each local user's desktop folder. The script does the following:
  • Queries Win32_UserAccount class for all local accounts using the "Get-WmiObject" cmdlet and selects the account name.
  • Iterates over each account in the list and excludes the "Administrator," "Guest," and "DefaultAccount".
  • Sets the user's desktop path to "C:\Users$SysUser\Desktop" and checks if the path exists.
  • If the path exists, it uses the "icacls" cmdlet to grant Modify permissions to the user and deny Write permissions to the user, including subdirectories.
• Follow our guide to upload & publish the PowerShell script using Scalefusion Dashboard.
• Once the script is successfully executed, you will be able to see the status of the same in the View Status report on the Scalefusion dashboard.