Prevent users saving items on the Citrix/Terminal Server desktop.
In my current environment we allow users to save items on their desktop. Because we are using mandatory profiles we save the settings using Flex profiles from Immidio.
Lately some users are complaining that the logon times are increasing. After some investigation we came to the conclusion that the users are saving a lot of files to their Citrix/Terminal server desktop. The flex file would be around the 8 GB. My manager asked me to come up with a solution so that the users aren’t able to save files to their desktop but allow them to save shortcuts.
I know that RES Workspace Manager can do this by default with AppGuard. Also a few other Vendors can do this. However I didn’t found a solution from Microsoft until today. It’s called File Screening
File Screening is available on windows 2003R2 and higher and is part of the File Server Resource Manager. A File Screen can block file that belong to a particular file group from being saved on a volume or folder tree. It also affects all the folders in the designated path. You can configure File Server Resource Manager to generate e-mail or other notifications when a file screening event occurs.
A file screen can be either active or passive:
- Active screening prevents users from saving unauthorized file types on the server.
- Passive screening monitors users saving specific file types and generates any configured notifications, but does not prevent users from saving files.
We choose the active screening.
Installing File Screening
File Server Resource Manager is a role service of the File Services role in Windows Server 2008. It can be installed as part of the File Services role, using Server Manager. After you install the role service, you can use the File Server Resource Manager Microsoft Management Console (MMC) snap-in.
How to configure File Screening
Start File Server Resource Manager. Expand File Screening Management. Select File Group. Right mouse click and select “Create File Group…” To block all files except shortcuts use the following settings.
Create a new File Screen Template with the following settings.
Create a new File Screen with the following settings.
In order to implement this in to the environment we have to change the following:
• Redirect the Citrix Desktop to a local disk or a shared folder on a File Server. The last is not preferred because of open file on the file servers.
• Install and configure File Screen.
• Possibly apply a folder quota on the desktop. This is not mandatory.
When everything is in place the users will receive the following message when they try to save an item on the desktop that isn’t a shortcut.
For the scripting guys among us. It is also possible to install and configure File Screening through the command line with the following commands.
## Install FSRM ## import-module servermanager add-windowsfeature FS-Resource-Manager ## Config File Screening ## FileScrn filegroup add /filegroup:Allow_lnk /Members:"*.*" /Nonmembers:"*.lnk" FileScrn template add /template:"Allow_lnk" /Type:Active /add-filegroup:Allow_lnk FileScrn screen add /path:C:\Data\desktops /SourceTemplate:Allow_lnk
When using filescreening in combination with Immidio Flex you need to add the extension *.tmp to the file to exclude. When flex is restoring the desktop.zip it will write a *.tmp file to the desktop. When this isn’t possible Flex will stop restoring the desktop.zip.
Leave a comment
Thanks for every other magnificent post. The
place else may anybody get that type of info in such a perfect manner of
writing? I have a presentation next week, and I am at the search
for such information.
how to get all users desktop there. i tried
%userprofiles% but its not working
You could use GPO to redirect the desktop. Check https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection