Forced wallpaper via a GPO

By JoeyF
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

JoeyF

Posted
Posted

I work for a high school as a computer technician. Me and the other tech want to set a specific wallpaper that will display on all computers when an user is logged in. We plan on using a GPO to enforce this.

We tried using a registry setting to change the wallpaper at login. However, after they log in, they can still change it. We have display properties disabled, but the students found several programs that still let them change the wallpaper.

Is there any way to absolutely force the wallpaper, with no way whatsoever to change it? A GPO is majorly preferred, but if there is something we would have to edit on the individual computers (like a third party program or something that can't be set through GPO), that wouldn't be too much of an issue.

Link to comment
https://www.neowin.net/forum/topic/699048-forced-wallpaper-via-a-gpo/
Share on other sites
Rising Star

u2_storm

Posted
Posted

Did you set it in

GP>User Config>Admin template>desktop>active desktop> allow only bitmapped wallpaper /active desktop wallpaper

GP>User Config>Admin template>control panel>display> prevent chaging wallpaper

I -think- thats how I stoped my users I can't see my GP as I got made redundant but looking on my 2k3 server it looks right.. let me know

Proficient

JoeyF

Posted
  • Author
Posted
Did you set it in

GP>User Config>Admin template>desktop>active desktop> allow only bitmapped wallpaper /active desktop wallpaper

GP>User Config>Admin template>control panel>display> prevent chaging wallpaper

I -think- thats how I stoped my users I can't see my GP as I got made redundant but looking on my 2k3 server it looks right.. let me know

It seems that we already tried all of those. I checked every setting in our group policy and all of those were already enabled and applied to the computer labs.

They do work quite well, but it seems that people are still able to override them. Even Firefox, if you right click on an image on a webpage, you can still set it as the wallpaper, even with those policies applied.

Proficient

JoeyF

Posted
  • Author
Posted

We just tried this GPO on a single pc:

User Configuration> Administrative Templates> Desktop> Active Desktop> Active Desktop Wallpaper

We enabled that, and than changed the path to a local wallpaper. It worked, and anything we threw at it couldn't change the wallpaper. However, it was logged in as a local account.

We logged out of the local account, and into a domain account (a test account with student permissions). The wallpaper didn't even apply, and we were able to change it with ease using the third party programs and Firefox.

Tony (the other tech) than logged in as his non-administrator account, and the wallpaper did apply, and he again was unable to change it.

It probably is worth noting that every account has redirected folders and roaming profiles. The tech people (Tony and I) are the only exception to this rule (we use flash drives instead).

So long story short:

1) We used a GPO to save this setting

2) The accounts that do not have redirected folders or roaming profiles are effected by this GPO, and can't change wallpapers, but that would be pretty much me and one other person.

3) Everyone else (who does have redirection and roaming) is not effected by this GPO.

It seems that the issue is with the roaming profiles and folder redirection. Any ideas?

Grand Master

Joel

Posted
Posted

The issue is not that you use roaming profiles and folder redirection, the issue is that the domain account overrode the local account settings you made in the local GPO. Make a test OU in the AD and do your tests with that. Never test a domain policy with a local account, nor ever test a policy made locally with your domain account. A test OU costs you nothing, so make them and use them. Test accounts, too.

Proficient

JoeyF

Posted
  • Author
Posted

That is what I thought at first, I thought the domain's GPOs were overriding the local ones, but like I said, the other tech was able to log into his account (domain user, non-administrator, no roam or redirect) and the local GPO applied to him. So we did manage to get the local GPO to apply to a Domain user.

Proficient

JoeyF

Posted
  • Author
Posted

We essentially did try that, to the same results.

We did try using the GPO on a domain level, and applying it to the container that our test computers are in, and seemed to have even worse luck than a local policy. We could not get the wallpaper to apply to a single account

Rising Star

u2_storm

Posted
Posted

What would happen if you created a new computer OU. created a new user & applied a group policy to that OU does that work?

Ah! If I remember correctly I had to apply the GPO to the User & Computer. I don't know why but I'm sure it worked.

BTW Joey H: where on Earth are you?

Grand Master

Joel

Posted
Posted
We essentially did try that, to the same results.

We did try using the GPO on a domain level, and applying it to the container that our test computers are in, and seemed to have even worse luck than a local policy. We could not get the wallpaper to apply to a single account

You can't apply a User Configuration GP to a computer. That would be a very large mistake. You apply User Configs to user objects, and Computer Configs to computers.

Proficient

JoeyF

Posted
  • Author
Posted

u2_storm: I'm on the part that isn't an ocean. More specifically, St. Louis metro.

On Tuesday and Wednesday, I had a few problems I had to deal with (one of our servers was down, and we had to get a computer lab moved), so I didn't pay much attention to the wallpapers. I'm gonna try the new computer OU on Monday and hope it works. I'll let you all know. But I do appreciate all the help so far. Thank you :)

Grand Master

JustGeorge

Posted
Posted (edited)

http://support.microsoft.com/kb/327998

Following the above instructions, they will not be able to change the wallpaper in IE but will be able to in Firefox. Even of they change it in Firefox, the wallpaper will reset back to gpo defined wallpaper after reboot or logoff/logon. I have the same problem at my job so I feel your pain :/

Edited by VRam
Grand Master

ozgeek

Posted
Posted

Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

Grand Master

JustGeorge

Posted
Posted
Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

Its a distraction. Our kids should be focusing on their work and not searching the net for a the latest pic of 50 cent or the newest Ferrari to set as their wallpaper. People also tend to frown on their PC greeting them with a pornographic image when booted. I like keeping all the machines uniform and neat and since I'm the one who has to fix what they screw up, I feel I have a right to make it so.

Grand Master

Joel

Posted
Posted
Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

Leaving it to the user could contravene the company's AUP. Don't spout crap about a work environment you don't understand.

Mentor

_dandy_

Posted
Posted

Not sure why the wallpaper can be changed despite the group policies, but how about overriding the default permissions for the registry key (whatever it is) that defines the wallpaper currently in use? I would *think* that if a user doesn't have sufficient rights to update the key--whatever the means used--then a new wallpaper couldn't be specified...

Grand Master

JustGeorge

Posted
Posted

I thought I found the magic bullet when someone on the net suggested unregistering the shimgvw.dll (removes the "set as desktop background" context menu, but found that also disables the Windows picture and Fax viewer which makes the trick useless. I guess you could install another picture viewer, but thats just another program to maintain. Microsoft should fix the group policy setting to do what it claims to do prevent changing wallpaper.

Proficient

JoeyF

Posted
  • Author
Posted (edited)
Or just leave it alone. what harm to work can a picture on a desktop do? They allow users to feel relaxed and will allow them to work in an environment that is familiar to them, increasing their productivity. Forcing a boring same wallpaper every login is silly and boring.

We have many complaints from teachers about wallpapers. There are some students who spend way too much time looking for new wallpapers and not paying attention to their classwork. Also, alot of students seem to have no sense of decency. I've seen wallpapers containing nudity, pornography/hentai, racism, sexism, drug use, just about everything that someone could find highly offensive. The teachers do send students out of class when something like this comes up, and the students do receive discipline, but we don't want it there in the first place. Even if it is not inappropriate, students like to show off their wallpapers, which creates distractions in class.

Not sure why the wallpaper can be changed despite the group policies, but how about overriding the default permissions for the registry key (whatever it is) that defines the wallpaper currently in use? I would *think* that if a user doesn't have sufficient rights to update the key--whatever the means used--then a new wallpaper couldn't be specified...

To my understanding, registry editing is pretty much restricted. The users can't directly access the registry, and the fields that they can edit are very limited in number. I would believe that the registry strings that control the wallpaper would be locked, but if they aren't, that could be a pretty big hole right there. That is defiantly something I will talk to the other tech about, and we'll investigate it.

Edited by Joey H
Mentor

_dandy_

Posted
Posted
To my understanding, registry editing is pretty much restricted. The users can't directly access the registry, and the fields that they can edit are very limited in number. I would believe that the registry strings that control the wallpaper would be locked, but if they aren't, that could be a pretty big hole right there. That is defiantly something I will talk to the other tech about, and we'll investigate it.

I don't suspect that students are directly editing the registry, but whatever means they use to change the wallpaper, would run using the same security privileges as that user.

So if you remove the privileges for the registry key for UserX, then it doesn't matter *how* UserX tries to change the wallpaper (desktop properties, Use As Wallpaper in a browser, etc)--all those methods should fail because the process that attempts to write the new value is also running as UserX.

Proficient

JoeyF

Posted
  • Author
Posted

We did eventually manage to stop people from changing their wallpapers. It's a fairly crude method, but it does work well.

There were two ways people were changing wallpapers:

1) Mozilla Firefox

2) Third party wallpaper managers

I don't know exactly how, but the other tech managed to lock "firefox wallpaper.bmp", so that if someone tried to change their wallpaper in firefox, it would not change. I think he found a way to make the file read only, and so that people can't change the read-only status. I don't know how he pulled that off, I wasn't there that day.

The third party programs were easy. Students don't have permission to write any data to program files, they only have read only access. The same goes for the windows directory. So the easiest solution was to use a GPO to block all programs not located in C:\Program Files, C:\Windows, or specific read-only shares located on one of our file servers.

It's not the best solution, but so far it seems to be taking very good care of the wallpaper issues. Furthermore, students were installing games into their documents folder, and that took care of those games too.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Waymo recalls self-driving software after cars enter closed freeway work zones

      By RangerLG · Posted

      Just saw a news report of a Waymo driving into a flooded road.
    • Password Safe 3.72.0

      By Copernic · Posted

      Password Safe 3.72.0 by Razvan Serea Password Safe is a password database utility. Like many other such products, commercial and otherwise, it stores your passwords in an encrypted file, allowing you to remember only one password (the "safe combination"), instead of all the username/password combinations that you use. Once stored, your user names and passwords are just a few clicks away. Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes. PasswordSafe was originally designed by the renowned security technologist Bruce Schneier and released as a free utility application. Password Safe 3.72.0 changelog: Fixed bugs Improved font scale handling - should resolve font size issues on high resolution displays. GH1749 In the Master Password Setup window, "Show Master Password" is no longer truncated on some displays. GH1092, SF1595 Size and position of main window is now correctly restored on scaled displays. SF1630 Keep password expiry date when both password and password expiry are changed; don't clear a non-recurring expiry when the password's changed. SF1628 Custom values can now be copied to the clipboard in read-only mode via Ctrl-C and right-click->Copy Value. New features GH1196 Dark display mode support: Password Safe now supports the system display mode, as well as setting the mode directly via Manage->Options->Display->Display Mode. This change also updates the general "look & feel" of the app to the current Windows theme. Known limitations: The Date picker and keyboard shortcut controls do not switch to dark theme The Customize Toolbar dialog does not switch to dark theme Custom Field support has been added to the more advanced features: Filters XML and Text import and export Comparison, Sync and Merge databases SF938 Custom field values may now be selected by name and copied via a "Copy Custom Field Value..." submenu in the entry context popup menu. SF936 Notes and Custom fields layout now overlap, selectable by tabs, resulting in a more compact and less cluttered layout. SF935 Autotype: Specifying '\v{name}' in the autotype text will cause the corresponding value to be autotyped. Download: PasswordSafe 64-bit | Portable 64-bit | ~20.0 MB (Open Source) Download: PasswordSafe 32-bit | Portable 32-bit View: PasswordSafe Website | Quickstart Guide | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google DeepMind AI Control Roadmap: When Alignment Fails, Defense-in-Depth Takes Over

      By +TRS-80 · Posted

      Google DeepMind published a document on June 18, 2026, that may be the most consequential admission yet from a frontier AI lab: alignment training alone cannot guarantee that AI agents will remain under human control, so structural containment must be built before more capable models arrive.............. https://www.techtimes.com/articles/318758/20260620/google-deepmind-ai-control-roadmap-when-alignment-fails-defense-depth-takes-over.htm  
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By Taliseian · Posted

      I've got a SoundBlasterX G6 that I use in my streaming setup. Sounds great to me and I've had zero issues with the ancient software package so far in Win11. That G6 has 7.1, Dolby, fully working SPDIF and since it's a USB device it's outside of my rig so I don't have to worry about EMF distortion. Looks like for now this is a pass for me as I think I have better hardware....
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By OldGuru · Posted

      How do you connect 5.1 Speakers to this thing?

  • Recent Achievements

    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated
    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done
    • Week One Done
      Genuinetonerink- Dubai earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      503
    2. 2
      +Edouard
      170
    3. 3
      PsYcHoKiLLa
      88
    4. 4
      Steven P.
      75
    5. 5
      Michael Scrip
      74
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!