I created a User Policy that I applied to all of my W2012R2 XenApp Servers. I created a Registry Collection and added the following registry settings to remove items from the Navigation Pane within this policy. You will notice some duplication below. In my environment, I had to hide the regular favorites shortcut along with the Library shortcut. In addition, I found different CLSID values for Music, Pictures, Videos, and Documents, so I applied these as well. Note the websites listed in the descriptions below. These sites led me to use a particular registry setting.
After you create or join a homegroup, you select the libraries (for example, My Pictures or My Documents) that you want to share. You can prevent specific files or folders from being shared, and you can share additional libraries later.
windows 7 group policy remove libraries from desktop
After someone on your network creates a homegroup, the next step is to join it. You'll need the homegroup password, which you can get from any homegroup member. All user accounts except the Guest account will belong to the homegroup. Each person controls access to his or her own libraries.
When you create or join a homegroup, you select the libraries and devices you want to share with other people in the homegroup. Libraries are initially shared with Read access, which means that other people can look at or listen to what's in the library, but they can't change the files in it. You can adjust the level of access at any time, and you can exclude specific files and folders from sharing.
When you create or join a homegroup, you select the libraries and devices you want to share with other people in the homegroup. Libraries are initially shared with Read access, which means that other people can look at or listen to what's in the library, but they can't change the files in it. You can adjust the level of access at any time, and you can exclude specific files and folders from sharing.
To share with all the members of your homegroup, choose one of the Homegroup options. To select libraries to share with all the members of your homegroup, swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings.) Then tap or click HomeGroup.
When you created or joined your homegroup, you selected the libraries you wanted to share with other people in the homegroup. Libraries are initially shared with Read access, which means that you can look at or listen to what's in the library, but you can't make changes to the files in it. You can adjust the level of access later, and you can exclude specific files and folders from sharing.
I realize that this is a old thread, but I have recently deployed windows 7 desktops and my users are having issues with the libraries feature and I needed to find a way to disable it across the domain with group policy. Long story short is that all of which I tried from forum advice did not work, although it led me in the right direction. I just want to pass along the very simple solution to get the libraries feature to stop showing up in the explorer window.
2. Next in Active Directory create a GPO Object that will be used to restrict the user's virtual desktop. This raises the issue of what is the best way to apply the restriction. I prefer to apply a GPO to the computer where possible. So the user receives one set of restrictions if they login to a virtual desktop, but an entirely different set elsewhere. This allows them to be heavily restricted in the VDI session, but less restricted on other computers in the domain. After all, it's the virtual desktop I'm trying to secure from the end-user. Right-click the Organizational Unit, choose Properties and Select the Group Policies Tab. Click the button to create a policy (Figures 2 and 3).
When you press Ctrl+Alt+Delete while logged on to Windows 7, you see the Windows Security window, which contains the following buttons: Lock This Computer, Switch User, Log Off, Change A Password, and Start Task Manager. Of these five commands, all but Switch User are customizable using group policies. So if you find that you never use one or more of those commands, or (more likely) if you want to prevent a user from accessing one or more of the commands, you can use group policies to remove them from the Windows Security window. Here are the steps to follow:
We will now be back at the Security Levels list and almost every program will now be blocked from executing. For example, if you try to run Internet Explorer, you will receive a message stating that "This program is blocked by group policy." as shown below.
There's been a Group Policy setting to sync Team/SharePoint libraries for a while although last time I looked at it the functionality didn't actually work yet - I think it was meant to be available from Windows 10 1909 but didn't quite make it. Besides the fact that the setting didn't do anything, all the documentation claimed it could take "up to 8 hours" for the library to appear in the user's sync client/Explorer - clearly this is no use especially if you're in an environment where people hot desk and share machines. I've had another look at it to see if it's any better now. Using the GPO SettingFirst of all we need to have the OneDrive policy templates. You can find these on a Windows 10 PC running the sync client in %localappdata%\Microsoft\OneDrive\version\adm. Copy OneDrive.admx into your central policy definitions store, or if you don't have one into c:\windows\policydefinitions, and put Onedrive.adml into your language folder within the policy store.Now open a Group Policy Object in the editor and go to User Configuration > Policies > Administrative Templates > OneDrive. The setting you need to find is Configure team site libraries to sync automatically.This will want you to provide the library name and library ID. To get the ID, go to the library you want to sync in SharePoint (so if it's in a Team, open the Team's files in SharePoint). Press Sync, then cancel the "Open in OneDrive" prompt, then click Copy library ID. The chances of this screen actually appearing seem to be notoriously hit or miss, but if you are logged in as a global or SharePoint admin it should appear. I'm logged in as a global admin and using Edge and it worked fine.You should now have a library ID on your clipboard which looks something like "tenantId=xxx&siteId=xxx&webId=xxx&listId=xxx&webUrl=httpsxxx&version=1". It's got some URL encoded characters that we need to remove before we can feed this into the GPO so open PowerShell and run the following:[uri]::UnescapeDataString("paste-in-the-library-ID-string-here")Copy the unescaped string and paste it into the GPO editor in the Value column, and put the library name in the Value name column.Enter a friendly name for the site in the first column, and paste the unescaped library ID string into the Value columnSo does it work? Well, there's still an "up to 8 hour" wait so it's still only really suitable for a 1:1 device deployment where it's always the same person logged on and they can put up with a delay on their first logon. An alternative way to add librariesIf you have a look in the registry at what happens when you click the Sync button in the browser, you'll notice it launches the grvopen: or odopen: protocols, which in turn run "onedrive.exe /url:%1". If you replace OneDrive.exe with a program which just echos out the arguments passed to it, you'll notice this format:Copyodopen://sync/?userId=xxxxxxxx%2Dxxxx%2Dxxxx%2Dxxxx%2Dxxxxxxxxxxxx&userEmail=katy%40xxxxxxxxxxxxx%2Exx&isSiteAdmin=1&siteId=%7Bxxxxxxxx%2Dxxxx%2Dxxxx%2Dxxxx%2Dxxxxxxxxxxxx%7D&webId=%7Bxxxxxxxx%2Dxxxx%2Dxxxx%2Dxxxx%2Dxxxxxxxxxxxx%7D&webTitle=xxxxxxxxxxxxxxxx&webTemplate=64&webLogoUrl=%5Flayouts%2F15%2Fimages%2Fsiteicon%2Epng&webUrl=https%3A%2F%2Fxxxxxxxxxxxxx%2Esharepoint%2Ecom%2Fsites%2Fxxxxxxxxxxxxx&onPrem=0&libraryType=3&listId=%7Bxxxxxxxx%2Dxxxx%2Dxxxx%2Dxxxx%2Dxxxxxxxxxxxx%7D&listTitle=Documents&folderId=xxxxxxxx%2Dxxxx%2Dxxxx%2Dxxxx%2Dxxxxxxxxxxxx&folderName=General&folderUrl=https%3A%2F%2Fxxxxxxxxxxxxx%2Esharepoint%2Ecom%2Fsites%2Fxxxxxxxxxxxxx%2FShared%20Documents%2FGeneral&scope=OPENFOLDERhljs.highlightElement(document.getElementById('63e5ee618a5a9'));We can then run on logon "onedrive.exe /url:" and the above URL to have the sync client add the library, no waiting around for "up to 8 hours". Most of the URL will be static but there's a user-specific bit we need to work out how to obtain. A lot of the parameters are optional - as a minimum we need to obtain the following: userEmail. We can look up the current user's UserPrincipalName in PowerShell
siteID: Go to _api/site/id and it'll tell you the site ID. This is a GUID enclosed in curly braces
webID: Go to _api/web/id and it'll tell you the web ID, another GUID in braces.
webTitle: The name of the Team/SharePoint site, used when the client builds the folder structure.
webUrl: The URL to the site. You can see this at _api/web/url however it's usually just
listId: The SharePoint library's ID. Open the library in a web browser, click on the Settings button near the top right, then pick Library Settings. The List ID will be at the end of the URL of the Settings page - a GUID in braces.
listTitle: The document library name.
webTitle and listTitle are optional, and they do not have to match the actual names on SharePoint. The sync client will create a folder named after the tenancy, and within that will be a folder named webTitle - listTitle, which contains the synced library. If you don't include these at all it will just call it Documents.Putting all this together, I've written a PowerShell script which can be used as a logon script which will map a library if it isn't already mapped. For this to work you'll need to have already configured the OneDrive sync client to automatically log in and sync the user's OneDrive.Copy$userEmail = $(whoami /upn Out-String).Trim()$siteID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"$tenantName = "KatysTechBlog"$webID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"$webTitle = "Tech Blog"$webUrl = " "$listId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"$listTitle = "Library"if (-not ((Test-Path -Path "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\Tenants\$tenantName") -and (Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\Tenants\$tenantName" -Name "$env:USERPROFILE\$tenantName\$webTitle - $listTitle"))) $URL = "odopen://sync/?userEmail=" + [uri]::EscapeDataString($userEmail) + "&siteId=" + [uri]::EscapeDataString($siteID) + "&webId=" + [uri]::EscapeDataString($webID) + "&webTitle="+ [uri]::EscapeDataString($webTitle) + "&webUrl="+ [uri]::EscapeDataString($webUrl) + "&listId="+ [uri]::EscapeDataString($listId) + "&listTitle="+ [uri]::EscapeDataString($listTitle) Start-Process "$env:LOCALAPPDATA\Microsoft\OneDrive\Onedrive.exe" -ArgumentList "/url:$URL"hljs.highlightElement(document.getElementById('63e5ee618a6ba'));This script will grab the current user's UserPrincipalName and put together all the different parameters into an URL, and then runs onedrive if the library isn't already synced. If you've got multiple libraries you want to sync, with different combinations for different users, I'd probably recommend just having multiple scripts - one per library - and then linking the appropriate scripts to the appropriate GPO.Updated 16 March 2022: Changed the way the UPN is detected to one which works with Azure AD joined devices. Further Reading Use Group Policy to control OneDrive sync settings - OneDrive Microsoft Docs
Deploy OneDrive apps using Microsoft Endpoint Configuration Manager - OneDrive Microsoft Docs
In this postIntroduction Using the GPO Setting An alternative way to add libraries Further ReadingSupport My WorkI hope you find my content useful. Please consider tipping to support the running costs of hosting, licensing etc on my Ko-fi page. 2ff7e9595c
Comments