User folders and restricting their access via GP

Shane King 31 Reputation points

Is there a way to stop users friom saving files to My Documents on local workstations or RDS servers?

This issue has been around since folder redirection existed in NT4 and remains the same issue today. I have an 2019 RDS server and we run O365 Sharepoint. Staff still save files to My Docs/Downloads/Pictures/Desktop etc - meaning those files are "Siloed or Orphaned" and not available to others in the organisation in the same role. Regardless of what other measure or policies you put in place it relies on the end user willingly complying.

The problems this creates are:

  • Staff create files that never get backed up
  • Staff create files that are relevant to others in the same organisation but are not available to "others" in the manner information sharing and colaboration is intended.
  • Staff leave the organisation and may have sat at 100's of workstations where there may be files that are important to the org, but are lost, unless you record every workstation an employee logs into and attempot to recover data stored in thier profile
  • When these ex employees profile are deleted (a cumbersone task no matter how few workstations you have) informaiton is lost unless, IT or Supervisors have time to go to every workstation the users has potentially logged into and check there is no orphaned data stored in that profile.

Redirected folders doesnt solve the issue, if we centrealise the redirected folders the content doesnt get saved to sharepoint or shares on the server.

So is there a way to prevent users from saving files to folders on the local machine (be it a workstation or RDS environnent) that allows us to control this? It's ironic we have so many other measures in place to control user behavior, but this remains an issue.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,557 questions
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,983 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jenny Yan-MSFT 9,326 Reputation points


    The My Documents/Picture/Downloads folder is a component of the user profile that is used as a unified location for storing personal data, which shouldn't be accessed by other accounts.

    Did you enabled the roaming profile that redirect the user profile path to a shared file server? After then grant full control access to those user profile folders for admin account?

    Reference link:
    Roaming Profile - Add Administrators rights to profile folder without taking ownership
