Forced wallpaper via a GPO

[JoeyF]

I work for a high school as a computer technician. Me and the other tech want to set a specific wallpaper that will display on all computers when an user is logged in. We plan on using a GPO to enforce this.

We tried using a registry setting to change the wallpaper at login. However, after they log in, they can still change it. We have display properties disabled, but the students found several programs that still let them change the wallpaper.

Is there any way to absolutely force the wallpaper, with no way whatsoever to change it? A GPO is majorly preferred, but if there is something we would have to edit on the individual computers (like a third party program or something that can't be set through GPO), that wouldn't be too much of an issue.

[waruikoohii]

I set it via GPO at my work. The kids haven't found a way to change it, and I'm not aware of a way to change it client side.

I don't remember exactly where the option is, so I'll post that later when I can check it (in a few hours).

[u2_storm]

Did you set it in

GP>User Config>Admin template>desktop>active desktop> allow only bitmapped wallpaper /active desktop wallpaper

GP>User Config>Admin template>control panel>display> prevent chaging wallpaper

I -think- thats how I stoped my users I can't see my GP as I got made redundant but looking on my 2k3 server it looks right.. let me know

[SMELTN]

I believe that is is u2_storm

[JoeyF]

Did you set it in

GP>User Config>Admin template>desktop>active desktop> allow only bitmapped wallpaper /active desktop wallpaper

GP>User Config>Admin template>control panel>display> prevent chaging wallpaper

I -think- thats how I stoped my users I can't see my GP as I got made redundant but looking on my 2k3 server it looks right.. let me know

It seems that we already tried all of those. I checked every setting in our group policy and all of those were already enabled and applied to the computer labs.

They do work quite well, but it seems that people are still able to override them. Even Firefox, if you right click on an image on a webpage, you can still set it as the wallpaper, even with those policies applied.

[_BeanZ_]

I can't remember the specifics at the moment, but we have managed to stop it by changing the permission to a few HKCU keys - will try and track down which ones it was.

[JoeyF]

We just tried this GPO on a single pc:

User Configuration> Administrative Templates> Desktop> Active Desktop> Active Desktop Wallpaper

We enabled that, and than changed the path to a local wallpaper. It worked, and anything we threw at it couldn't change the wallpaper. However, it was logged in as a local account.

We logged out of the local account, and into a domain account (a test account with student permissions). The wallpaper didn't even apply, and we were able to change it with ease using the third party programs and Firefox.

Tony (the other tech) than logged in as his non-administrator account, and the wallpaper did apply, and he again was unable to change it.

It probably is worth noting that every account has redirected folders and roaming profiles. The tech people (Tony and I) are the only exception to this rule (we use flash drives instead).

So long story short:

1) We used a GPO to save this setting

2) The accounts that do not have redirected folders or roaming profiles are effected by this GPO, and can't change wallpapers, but that would be pretty much me and one other person.

3) Everyone else (who does have redirection and roaming) is not effected by this GPO.

It seems that the issue is with the roaming profiles and folder redirection. Any ideas?

[Joel]

The issue is not that you use roaming profiles and folder redirection, the issue is that the domain account overrode the local account settings you made in the local GPO. Make a test OU in the AD and do your tests with that. Never test a domain policy with a local account, nor ever test a policy made locally with your domain account. A test OU costs you nothing, so make them and use them. Test accounts, too.

[JoeyF]

That is what I thought at first, I thought the domain's GPOs were overriding the local ones, but like I said, the other tech was able to log into his account (domain user, non-administrator, no roam or redirect) and the local GPO applied to him. So we did manage to get the local GPO to apply to a Domain user.

[Joel]

Yes, now make the test OU and test user and test THAT. I didn't say it wouldn't apply, I said you can't test like that.

Group policy types and their order of application are:

* Local Policy

* Site Linked Policies

* Domain Linked Policies

* Organizational Unit Policies

[JoeyF]

We essentially did try that, to the same results.

We did try using the GPO on a domain level, and applying it to the container that our test computers are in, and seemed to have even worse luck than a local policy. We could not get the wallpaper to apply to a single account

[u2_storm]

What would happen if you created a new computer OU. created a new user & applied a group policy to that OU does that work?

Ah! If I remember correctly I had to apply the GPO to the User & Computer. I don't know why but I'm sure it worked.

BTW Joey H: where on Earth are you?

[Joel]

We essentially did try that, to the same results.

We did try using the GPO on a domain level, and applying it to the container that our test computers are in, and seemed to have even worse luck than a local policy. We could not get the wallpaper to apply to a single account

You can't apply a User Configuration GP to a computer. That would be a very large mistake. You apply User Configs to user objects, and Computer Configs to computers.

[JoeyF]

u2_storm: I'm on the part that isn't an ocean. More specifically, St. Louis metro.

On Tuesday and Wednesday, I had a few problems I had to deal with (one of our servers was down, and we had to get a computer lab moved), so I didn't pay much attention to the wallpapers. I'm gonna try the new computer OU on Monday and hope it works. I'll let you all know. But I do appreciate all the help so far. Thank you :)

[JustGeorge]

http://support.microsoft.com/kb/327998

Following the above instructions, they will not be able to change the wallpaper in IE but will be able to in Firefox. Even of they change it in Firefox, the wallpaper will reset back to gpo defined wallpaper after reboot or logoff/logon. I have the same problem at my job so I feel your pain :/

Edited November 30, 2008 by VRam

[ozgeek]

Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

[JustGeorge]

Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

Its a distraction. Our kids should be focusing on their work and not searching the net for a the latest pic of 50 cent or the newest Ferrari to set as their wallpaper. People also tend to frown on their PC greeting them with a pornographic image when booted. I like keeping all the machines uniform and neat and since I'm the one who has to fix what they screw up, I feel I have a right to make it so.

[Joel]

Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

Leaving it to the user could contravene the company's AUP. Don't spout crap about a work environment you don't understand.

[_dandy_]

Not sure why the wallpaper can be changed despite the group policies, but how about overriding the default permissions for the registry key (whatever it is) that defines the wallpaper currently in use? I would *think* that if a user doesn't have sufficient rights to update the key--whatever the means used--then a new wallpaper couldn't be specified...

[JustGeorge]

I thought I found the magic bullet when someone on the net suggested unregistering the shimgvw.dll (removes the "set as desktop background" context menu, but found that also disables the Windows picture and Fax viewer which makes the trick useless. I guess you could install another picture viewer, but thats just another program to maintain. Microsoft should fix the group policy setting to do what it claims to do prevent changing wallpaper.

[JoeyF]

Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

We have many complaints from teachers about wallpapers. There are some students who spend way too much time looking for new wallpapers and not paying attention to their classwork. Also, alot of students seem to have no sense of decency. I've seen wallpapers containing nudity, pornography/hentai, racism, sexism, drug use, just about everything that someone could find highly offensive. The teachers do send students out of class when something like this comes up, and the students do receive discipline, but we don't want it there in the first place. Even if it is not inappropriate, students like to show off their wallpapers, which creates distractions in class.

Not sure why the wallpaper can be changed despite the group policies, but how about overriding the default permissions for the registry key (whatever it is) that defines the wallpaper currently in use? I would *think* that if a user doesn't have sufficient rights to update the key--whatever the means used--then a new wallpaper couldn't be specified...

To my understanding, registry editing is pretty much restricted. The users can't directly access the registry, and the fields that they can edit are very limited in number. I would believe that the registry strings that control the wallpaper would be locked, but if they aren't, that could be a pretty big hole right there. That is defiantly something I will talk to the other tech about, and we'll investigate it.

Edited November 30, 2008 by Joey H

[_dandy_]

To my understanding, registry editing is pretty much restricted. The users can't directly access the registry, and the fields that they can edit are very limited in number. I would believe that the registry strings that control the wallpaper would be locked, but if they aren't, that could be a pretty big hole right there. That is defiantly something I will talk to the other tech about, and we'll investigate it.

I don't suspect that students are directly editing the registry, but whatever means they use to change the wallpaper, would run using the same security privileges as that user.

So if you remove the privileges for the registry key for UserX, then it doesn't matter *how* UserX tries to change the wallpaper (desktop properties, Use As Wallpaper in a browser, etc)--all those methods should fail because the process that attempts to write the new value is also running as UserX.

[_dandy_]

Any update? I'm curious...

[JoeyF]

We did eventually manage to stop people from changing their wallpapers. It's a fairly crude method, but it does work well.

There were two ways people were changing wallpapers:

1) Mozilla Firefox

2) Third party wallpaper managers

I don't know exactly how, but the other tech managed to lock "firefox wallpaper.bmp", so that if someone tried to change their wallpaper in firefox, it would not change. I think he found a way to make the file read only, and so that people can't change the read-only status. I don't know how he pulled that off, I wasn't there that day.

The third party programs were easy. Students don't have permission to write any data to program files, they only have read only access. The same goes for the windows directory. So the easiest solution was to use a GPO to block all programs not located in C:\Program Files, C:\Windows, or specific read-only shares located on one of our file servers.

It's not the best solution, but so far it seems to be taking very good care of the wallpaper issues. Furthermore, students were installing games into their documents folder, and that took care of those games too.

[portauthority]

You can also create a custom ADM file that resets the wallpaper entry in HKCU.