To Block Library creation, you can create a user group policy blocking the known folder ID. You may argue a login script can simply delete the unwanted libraries, and you would be right, but a shell context menu exists to restore these libraries on user request. The method below ensure’s they are never created.

For every default windows directory, these directories have known folder names and GUID’s. A great reference site for these GUIDS can be found here:

http://msdn.microsoft.com/en-us/library/dd378457(VS.85).aspx

In our case, we’re interested in the following five Known Folders:

FOLDERID_DocumentsLibrary   GUID{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}
FOLDERID_MusicLibrary             GUID{2112AB0A-C86A-4FFE-A368-0DE96E47012E}
FOLDERID_PicturesLibrary         GUID{A990AE9F-A03B-4E80-94BC-9912D7504104}
FOLDERID_VideosLibrary            GUID{491E922F-5643-4AF4-A7EB-4E7A138D8174}

and the little known:

FOLDERID_RecordedTVLibrary  GUID{1A6FDBA2-F42D-4358-A798-B74D745926C5}

Once we know which folders we wish to block, open group policy and navigate to the following policy:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

In this section, you will find a Disable Known Folders Setting.

Enable the policy and click show, here you can configure the libraries you wish to block:

(below I’m blocking the creation of Video’s and Music.)

Configuring the value above will leave you with libraries as so:

Caveat’s:

It’s a once off thing… Blocking the creation of a library will only take effect on the first login, aka the profile creation. There is no microsoft solution available to control these libraries after the fact. You could make do with login scripts, but its messy.

It’s not the size, its the contents that matter… You cannot control the cotents of libraries, i.e. you cannot block the link to the shared folders libraries. This is really silly, as you would assume that were you to block the known folder PublicDocuments aka {ED4824AF-DCE4-45A8-81E2-FC7965083634}. This would stop it being created in the profile on first load, you’d be very wrong, blocking this known folder causes the library to not be created. Not sure who thought that was a good idea, but I digress.

So that’s it in a nutshell, for more information on locking down the server 2008 r2 profile check in later or follow me on twitter @andyjmorgan.

After much head scratching we discovered an extra registry setting embedded in the group policy:

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal
ServicesWFDontAppendUserNameToProfile dword = 1.

Still none the wiser to the issue we found the following article http://support.microsoft.com/kb/908011. With this we put two and two together, and logged into a 2003 domain controller (sp2) and low and behold the policy setting was available.

It seems the group policy were updated in service pack 2 to reflect an issue when trying to configure mandatory profiles, I do aim to copy the policies to my laptop and see if i can update them to reflect the change but I’ve been to lazy so far

Update: Well i got around to testing the policy copy, if you copy the .adm files from the domain controller to your local machine with the problem, it will resolve the issue.

Heres an example of scripting the change:

pushd domaincontrollerc$windowsinf
copy *.adm %windir%inf
popd

That’s it. reload gpedit.msc and you should see hte entries correctly.

Update: With thanks to some great help and troubleshooting from Steven we have resolved the line 46 “Categor” error. In order for the adm to parse the ending y in this file an additional two blank lines or “carriage returns” are necessary at the base of the adm file. The download file has been updated, Thanks again Steven.

A .adm file, is a group policy file that specifies policies outside of Microsoft’s default options. Basically they are policies you can put in place that Microsoft in their infinite wisdom forgot to put in before launch.

I had a situation recently where we have external users coming into our network, and using our CAG’s to access the the citrix environment. Once in there they needed access to an internal webpage that we published with internet explorer. The problem therein lied that these users could browse the local lan for resources with the address bar and many other wonderful utilities Microsoft put into internet explorer but failed to lock down efficiently.

All i really cared about (and for the interest of this post) was locking down the address bar in Internet Explorer 6.1. Nowhere could i find an option to do this, and i was getting nowhere fast. Searching internet explorer did bring back a few “helpful” articles on technet that i just couldnt understand, and i did find a piece of software that used to do it for free, until microsoft bought the company, stole its code for server 2008 and stopped people using or downloading the application. nice one microsoft…

I have attached the policy settings and ADM files for reference on how to lock down internet explorer 6 completely, hopefully i will save somebody else 7 hours of their time.

Long story short, no policy existed, no helpful application and because i needed this policy to only affect the users (and not the servers where internal staff use internet explorer too) i had to create the adm file myself.

I opened the word2003 adm file you get with ork 2003 and set about bodgeing the code to suit myself, The below entries disable the address and link bars by using registry entries. Remember you must still lock the toolbar in group policy to restrict these users from changing the tool bars.

CLASS USER

CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions”
POLICY “Disable internet explorer address bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoAddressBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disables internet explorer links bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoLinksBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

and to disable the other lockdowns i required (not covered in group policy…./sigh) disabling the search function, disabling the help bar and disabling mail/news are listed below.

CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwarePoliciesMicrosoftInternet ExplorerRestrictions”
POLICY “Disable internet explorer help bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoHelpMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disable Mail&News option”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME RestGoMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer”
POLICY “Disable Search Access”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoFind
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

Once i had the above all in one text document, saved it as a .adm file and imported it into group policy. Checked the options and hey presto, users were locked down. It took me over 8 hours to achieve the above (and the other default policy settings) realistically it shouldn’t have taken more than 2.

Files are here: