Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 9, 2017 12:38 PM
Dear All,
I would like to disable the access to known folders using shell:::{KnownFolderID} on Windows 10 Enterprise:
- From Internet Explorer or File Explorer
- For the local users (except admins)
- Not only "Camera Roll like" folder but also all the Control Panel items
I already tested several approaches but I did not obtain what I was expecting:
- GPO - Hide specific control panel items -> does not prevent using shell:::{KnownFolderID}
- GPO - Disable known folder -> Work Partially like for "Camera Roll" if you delete manually the folder as it prevents its creation
- Registry - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\.........}\PropertyBag] - ThisPCPolicy = Hide -> does not work
So I am a bit out of ideas :-/
Any help appreciated :-)
I would like to thank you in advance,
Best Regards,
Yop
All replies (3)
Tuesday, November 28, 2017 11:07 AM ✅Answered
Hi Joy,
So here is a little update according to the tests and research I have made so far.
1. Playing with group permissions does not work for "virtual folders"
2. GPOs does not block the Shell: command
- Prohibit access to Control Panel and PC settings: is circumvented by the Windows Shell: command
- Disable Known Folders: prevent only the creation of the folder, the folder needs to be deleted, does not work for all Known folders
3. Modifying the registry:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\KnownFolderID}\PropertyBag
- HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\KnownFolderID}\PropertyBag
and adding a key "ThisPCPolicy" type String with Value "Hide" does not work either for all the KnownFolderID.
The only solution I have found is to:
- Create a New Key Named "Blocked" in HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\
- Create a REG-SZ with Name= {KnownFolderID} and Data= KnownFolder Name
And voilà,
Kr,
Yop
Friday, November 10, 2017 9:06 AM
Hi Yop,
"From Internet Explorer or File Explorer
For the local users (except admins)"
I recommend to restrict local user access right to a specific folder with the normal ways.
We could grant administrator with full access right and grant local user with deny by right click folder and choose Properties.
For restrict local user to access Control Panel items:
If you use local Group policy to disable local user to access Control Panel, it will disable all user access it including administrator. So we need to Configure Group Policy setting to exclude administrator at first then apply the following Group Policy.
User Configuration > Administrative Templates > Control Panel>Prohibit access to Control Panel and PC settings.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, November 16, 2017 10:03 AM
Hi Joy,
I would like to thank you for your reply.
I will give it a try and will let you know.
Thanks again,
Kr,
yop