Windows 7 Deployment Useful Tip # 2 – Enabling the Standard User to delete Desktop Shortcuts from C:\Users\Public\Desktop

For thought, it is a general rule, set expectations with rationalization. If your environment consists of users running as administrators on their machines, this is something you really want to try and get away from.  Maintaining a well managed PC in the corporate environment goes out the Windows if you don’t lock and secure your systems. Destabilization of the desktop causes additional work for everyone, not to mention productivity down time for everyone.

User Account Control works by protecting access to administrative rights, and this involves elevation of privilege. One small challenge I came across recently was giving Standard Users the ability to delete desktop icons that are created during the installation of applications. Specifically, desktop icons stored in C:\Users\Public\Desktop. This happens because desktop icons were installed/created by a trusted install account (e.g. Administrator). Since the user is not the owner of the file, they cannot take ownership of the file. When a user attempts to delete a desktop shortcut, Windows 7 requests some kind of consent or credential to do so. Unfortunately, UAC won’t allow the standard user to execute this task.

The recommended solution would be creating a script to run against the desktop folder to modify the ACLs during post installation of the OS. Alternatively, you can add the following commands to your Task Sequence in StateRestore.

attrib -h c:\Users\Public\Desktop

Icacls c:\Users\Public\Desktop /grant “TEST.com\Domain Users”:M /T

attrib +h c:\Users\Public\Desktop

Remember to replace “TEST.com with the name of your domain. Also note, the reason for the attrib requirement is because the public desktop folder is hidden. In Windows 7 the public desktop is a reparse point of the folder known as desktop. Credit goes to Josh Brungardt,  my colleague, for countless testing scenarios to get this to work.

Cheers,

Rich