Due to the overwhelming response from the r/sysadmin community, it looks like Desktop Folder Redirection is the best practice solution to this problem. With that being said, I think this script has a place in environments where Desktop Folder Redirection isn't possible (e.g. small organizations without AD or Pro licensing) and want it to remain available for those who might be interested in the source code.
In our environment, we use Folder Redirection and network drive maps for our staff to access their files. Due to performance issues, the Desktop remains part of the local user profile.
Three years ago, we were still using Windows XP with a third-party software called Deep Freeze that prevented user changes to the local workstation. In those days, if a user accidentally saved an important document to their desktop, they would turn on their workstation the next morning and find out they had lost yesterday's work. Although this was inconvenient, the user quickly learned the hard way that the Desktop was not a safe place for their documents. Since then, we have deprecated Deep Freeze and migrated to Windows 7. The downside to losing Deep Freeze is that many of our users have become complacent to saving to the Desktop.
Despite training and notifying staff that the Desktop is a dangerous place for their files, I was put in the uncomfortable situation where a staff member burst into tears after I explained that the hard drive had died on their workstation and six months of work on the Desktop was irrevocably lost.
There are many ways you can prevent users from saving important documents on the Desktop. Here are a few that we had considered, but didn't end up implementing:
- Roaming Profiles
- Desktop Folder Redirection
- Remove "Modify" permission on Desktop
- Logoff script that copies Desktop to network drive
We decided that those options would either degrade performance considerably or be unreasonably frustrating/inconvenient for the user. Instead, I wrote a lightweight logon script that notifies the user that their desktop has vulnerable files. Here's a brief overview of what it does:
- Checks for Word Document files on the Desktop
- If True, it creates a MsgBoxPopup.vbs script in the %USERPROFILE% directory and adds an entry in the RunOnce registry key to execute the popup.
- Once executed, the script deletes itself and the RunOnce key is cleared automatically by Windows.
This will allow the logon script to execute quickly and deliver a warning message after the user has already finished loading their desktop.
dir /s C:\Users\%USERNAME%\Desktop\*.doc >nul
IF %ERRORLEVEL% EQU 1 (goto DONE)
REM CREATE TEMP MSGBOX POPUP IN USERPROFILE DIRECTORY
echo MsgBox "We have detected documents saved on your Desktop. To prevent potential data loss, save your documents to your network drive. If you have any questions, please contact Helpdesk.",48, "WARNING" > "%USERPROFILE%\MsgBoxPopup.vbs"
echo Set objFSO = CreateObject("Scripting.FileSystemObject") >> "%USERPROFILE%\MsgBoxPopup.vbs"
echo objFSO.DeleteFile WScript.ScriptFullName >> "%USERPROFILE%\MsgBoxPopup.vbs"
REM ADD TO RUNONCE IN REGISTRY
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v "DesktopAlert" /t REG_SZ /d "C:\Users\%USERNAME%\MsgBoxPopup.vbs" /f